Control: retitle -1 heimdal: CVE-2022-44640 CVE-2022-42898 CVE-2022-41916
CVE-2022-3437 CVE-2021-44758
On Tue, Nov 15, 2022 at 10:26:42PM +0100, Salvatore Bonaccorso wrote:
> Source: heimdal
> Version: 7.7.0+dfsg-6
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
> <t...@security.debian.org>
>
> Hi,
>
> The following vulnerabilities were published for heimdal.
>
> CVE-2022-44640[0]:
> | Invalid free in ASN.1 codec
>
> CVE-2022-42898[1]:
> | krb5_pac_parse() buffer parsing vulnerability
>
> CVE-2022-3437[2]:
> | Buffer overflow in Heimdal unwrap_des3()
>
> CVE-2021-44758[3]:
> | spnego: send_reject when no mech selected
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> >From the 7.7.1 release notes[4]:
>
> | This release fixes the following Security Vulnerabilities:
> |
> | CVE-2022-42898 PAC parse integer overflows
> |
> | CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and
> arcfour
> |
> | CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
> |
> | CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
> |
> | Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
> | on the Common Vulnerability Scoring System (CVSS) v3, as we believe
> | it should be possible to get an RCE on a KDC, which means that
> | credentials can be compromised that can be used to impersonate
> | anyone in a realm or forest of realms.
> |
> | Heimdal's ASN.1 compiler generates code that allows specially
> | crafted DER encodings of CHOICEs to invoke the wrong free function
> | on the decoded structure upon decode error. This is known to impact
> | the Heimdal KDC, leading to an invalid free() of an address partly
> | or wholly under the control of the attacker, in turn leading to a
> | potential remote code execution (RCE) vulnerability.
> |
> | This error affects the DER codec for all extensible CHOICE types
> | used in Heimdal, though not all cases will be exploitable. We have
> | not completed a thorough analysis of all the Heimdal components
> | affected, thus the Kerberos client, the X.509 library, and other
> | parts, may be affected as well.
> |
> | This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
> | only affect Heimdal 1.6 and up. It was first reported by Douglas
> | Bagnall, though it had been found independently by the Heimdal
> | maintainers via fuzzing a few weeks earlier.
> |
> | While no zero-day exploit is known, such an exploit will likely be
> | available soon after public disclosure.
> |
> | CVE-2019-14870: Validate client attributes in protocol-transition
> |
> | CVE-2019-14870: Apply forwardable policy in protocol-transition
> |
> | CVE-2019-14870: Always lookup impersonate client in DB
>
> (CVE-2019-14870 was already fixed earlier in unstable)
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-44640
> https://www.cve.org/CVERecord?id=CVE-2022-44640
> [1] https://security-tracker.debian.org/tracker/CVE-2022-42898
> https://www.cve.org/CVERecord?id=CVE-2022-42898
> [2] https://security-tracker.debian.org/tracker/CVE-2022-3437
> https://www.cve.org/CVERecord?id=CVE-2022-3437
> [3] https://security-tracker.debian.org/tracker/CVE-2021-44758
> https://www.cve.org/CVERecord?id=CVE-2021-44758
> [4] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.7.1
Retrospetively to one issue an additional CVE was assigned, cf.
https://github.com/heimdal/heimdal/security/advisories/GHSA-mgqr-gvh6-23cx
(CVE-2022-41916). Unless mistaken, this should be
https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c
which is as well included in 7.7.1 (and 7.8).
Regards,
Salvatore
