CVE-2022-42898

krb5: integer overflow vulnerabilities in PAC parsing

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."

El análisis sintáctico de PAC en MIT Kerberos 5 (también conocido como krb5) antes de 1.19.4 y 1.20.x antes de 1.20.1 tiene desbordamientos de enteros que pueden conducir a la ejecución remota de código (en KDC, kadmind, o un servidor de aplicaciones GSS o Kerberos) en plataformas de 32 bits (que tienen un desbordamiento de búfer resultante), y causar una denegación de servicio en otras plataformas. Esto ocurre en krb5_pac_parse en lib/krb5/krb/pac.c. Heimdal antes de 7.7.1 tiene "un bug similar".

A vulnerability was found in MIT krb5. This flaw allows an authenticated attacker to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. A privileged attacker may similarly be able to cause a Kerberos or GSS application service to crash.

Juraj Somorovsky, Marcel Maehren, Nurullah Erinola, and Robert Merget discovered that the DTLS implementation in the JSSE subsystem of OpenJDK did not properly restrict handshake initiation requests from clients. A remote attacker could possibly use this to cause a denial of service. Markus Loewe discovered that the Java Sound subsystem in OpenJDK did not properly validate the origin of a Soundbank. An attacker could use this to specially craft an untrusted Java application or applet that could load a Soundbank from an attacker controlled remote URL.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-10-13 CVE Reserved
2022-11-21 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-190: Integer Overflow or Wraparound

CAPEC

References (13)

URL	Tag	Source
https://github.com/heimdal/heimdal/security/advisories/GHSA-64mq-fvfj-5x3c	Third Party Advisory
https://security.netapp.com/advisory/ntap-20230216-0008
https://security.netapp.com/advisory/ntap-20230223-0001
https://www.samba.org/samba/security/CVE-2022-42898.html	Third Party Advisory

URL	Date	SRC
https://bugzilla.samba.org/show_bug.cgi?id=15203	2024-08-03

URL	Date	SRC
https://github.com/krb5/krb5/commit/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583	2023-10-08

URL	Date	SRC
https://security.gentoo.org/glsa/202309-06	2023-10-08
https://security.gentoo.org/glsa/202310-06	2023-10-08
https://web.mit.edu/kerberos/advisories	2023-10-08
https://web.mit.edu/kerberos/krb5-1.19	2023-10-08
https://web.mit.edu/kerberos/krb5-1.20/README-1.20.1.txt	2023-10-08
https://access.redhat.com/security/cve/CVE-2022-42898	2022-12-14
https://bugzilla.redhat.com/show_bug.cgi?id=2140960	2022-12-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				>= 1.8 < 1.19.4 Search vendor "Mit" for product "Kerberos 5" and version " >= 1.8 < 1.19.4"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.20 Search vendor "Mit" for product "Kerberos 5" and version "1.20"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.20 Search vendor "Mit" for product "Kerberos 5" and version "1.20"		beta1		Affected
Heimdal Project Search vendor "Heimdal Project"		Heimdal Search vendor "Heimdal Project" for product "Heimdal"				< 7.7.1 Search vendor "Heimdal Project" for product "Heimdal" and version " < 7.7.1"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				< 4.15.12 Search vendor "Samba" for product "Samba" and version " < 4.15.12"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.16.0 < 4.16.7 Search vendor "Samba" for product "Samba" and version " >= 4.16.0 < 4.16.7"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.17.0 < 4.17.3 Search vendor "Samba" for product "Samba" and version " >= 4.17.0 < 4.17.3"		-		Affected