heimdal: CVE-2022-44640 CVE-2022-42898 CVE-2022-3437 CVE-2021-44758

Debian Bug report logs - #1024187
heimdal: CVE-2022-44640 CVE-2022-42898 CVE-2022-3437 CVE-2021-44758

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: heimdal: CVE-2022-44640 CVE-2022-42898 CVE-2022-3437 CVE-2021-44758

Date: Tue, 15 Nov 2022 22:26:42 +0100

Source: heimdal
Version: 7.7.0+dfsg-6
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for heimdal.

CVE-2022-44640[0]:
| Invalid free in ASN.1 codec

CVE-2022-42898[1]:
| krb5_pac_parse() buffer parsing vulnerability

CVE-2022-3437[2]:
| Buffer overflow in Heimdal unwrap_des3()

CVE-2021-44758[3]:
| spnego: send_reject when no mech selected

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

From the 7.7.1 release notes[4]:

| This release fixes the following Security Vulnerabilities:
| 
|     CVE-2022-42898 PAC parse integer overflows
| 
|     CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
| 
|     CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
| 
|     CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
| 
|     Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
|     on the Common Vulnerability Scoring System (CVSS) v3, as we believe
|     it should be possible to get an RCE on a KDC, which means that
|     credentials can be compromised that can be used to impersonate
|     anyone in a realm or forest of realms.
| 
|     Heimdal's ASN.1 compiler generates code that allows specially
|     crafted DER encodings of CHOICEs to invoke the wrong free function
|     on the decoded structure upon decode error. This is known to impact
|     the Heimdal KDC, leading to an invalid free() of an address partly
|     or wholly under the control of the attacker, in turn leading to a
|     potential remote code execution (RCE) vulnerability.
| 
|     This error affects the DER codec for all extensible CHOICE types
|     used in Heimdal, though not all cases will be exploitable. We have
|     not completed a thorough analysis of all the Heimdal components
|     affected, thus the Kerberos client, the X.509 library, and other
|     parts, may be affected as well.
| 
|     This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
|     only affect Heimdal 1.6 and up. It was first reported by Douglas
|     Bagnall, though it had been found independently by the Heimdal
|     maintainers via fuzzing a few weeks earlier.
| 
|     While no zero-day exploit is known, such an exploit will likely be
|     available soon after public disclosure.
| 
|     CVE-2019-14870: Validate client attributes in protocol-transition
| 
|     CVE-2019-14870: Apply forwardable policy in protocol-transition
| 
|     CVE-2019-14870: Always lookup impersonate client in DB

(CVE-2019-14870 was already fixed earlier in unstable)

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-44640
    https://www.cve.org/CVERecord?id=CVE-2022-44640
[1] https://security-tracker.debian.org/tracker/CVE-2022-42898
    https://www.cve.org/CVERecord?id=CVE-2022-42898
[2] https://security-tracker.debian.org/tracker/CVE-2022-3437
    https://www.cve.org/CVERecord?id=CVE-2022-3437
[3] https://security-tracker.debian.org/tracker/CVE-2021-44758
    https://www.cve.org/CVERecord?id=CVE-2021-44758
[4] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.7.1

Regards,
Salvatore

Send a report that this bug log contains spam.