Source: heimdal
Version: 7.7.0+dfsg-6
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for heimdal.
CVE-2022-44640[0]:
| Invalid free in ASN.1 codec
CVE-2022-42898[1]:
| krb5_pac_parse() buffer parsing vulnerability
CVE-2022-3437[2]:
| Buffer overflow in Heimdal unwrap_des3()
CVE-2021-44758[3]:
| spnego: send_reject when no mech selected
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>From the 7.7.1 release notes[4]:
| This release fixes the following Security Vulnerabilities:
|
| CVE-2022-42898 PAC parse integer overflows
|
| CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour
|
| CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
|
| CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
|
| Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
| on the Common Vulnerability Scoring System (CVSS) v3, as we believe
| it should be possible to get an RCE on a KDC, which means that
| credentials can be compromised that can be used to impersonate
| anyone in a realm or forest of realms.
|
| Heimdal's ASN.1 compiler generates code that allows specially
| crafted DER encodings of CHOICEs to invoke the wrong free function
| on the decoded structure upon decode error. This is known to impact
| the Heimdal KDC, leading to an invalid free() of an address partly
| or wholly under the control of the attacker, in turn leading to a
| potential remote code execution (RCE) vulnerability.
|
| This error affects the DER codec for all extensible CHOICE types
| used in Heimdal, though not all cases will be exploitable. We have
| not completed a thorough analysis of all the Heimdal components
| affected, thus the Kerberos client, the X.509 library, and other
| parts, may be affected as well.
|
| This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
| only affect Heimdal 1.6 and up. It was first reported by Douglas
| Bagnall, though it had been found independently by the Heimdal
| maintainers via fuzzing a few weeks earlier.
|
| While no zero-day exploit is known, such an exploit will likely be
| available soon after public disclosure.
|
| CVE-2019-14870: Validate client attributes in protocol-transition
|
| CVE-2019-14870: Apply forwardable policy in protocol-transition
|
| CVE-2019-14870: Always lookup impersonate client in DB
(CVE-2019-14870 was already fixed earlier in unstable)
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-44640
https://www.cve.org/CVERecord?id=CVE-2022-44640
[1] https://security-tracker.debian.org/tracker/CVE-2022-42898
https://www.cve.org/CVERecord?id=CVE-2022-42898
[2] https://security-tracker.debian.org/tracker/CVE-2022-3437
https://www.cve.org/CVERecord?id=CVE-2022-3437
[3] https://security-tracker.debian.org/tracker/CVE-2021-44758
https://www.cve.org/CVERecord?id=CVE-2021-44758
[4] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.7.1
Regards,
Salvatore
