CVE-2022-42898

krb5: integer overflow vulnerabilities in PAC parsing

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."

El análisis sintáctico de PAC en MIT Kerberos 5 (también conocido como krb5) antes de 1.19.4 y 1.20.x antes de 1.20.1 tiene desbordamientos de enteros que pueden conducir a la ejecución remota de código (en KDC, kadmind, o un servidor de aplicaciones GSS o Kerberos) en plataformas de 32 bits (que tienen un desbordamiento de búfer resultante), y causar una denegación de servicio en otras plataformas. Esto ocurre en krb5_pac_parse en lib/krb5/krb/pac.c. Heimdal antes de 7.7.1 tiene "un bug similar".

A vulnerability was found in MIT krb5. This flaw allows an authenticated attacker to cause a KDC or kadmind process to crash by reading beyond the bounds of allocated memory, creating a denial of service. A privileged attacker may similarly be able to cause a Kerberos or GSS application service to crash.

USN-7582-1 fixed vulnerabilities in Samba. The update introduced a regression. This update fixes the problem. Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. Greg Hudson discovered that Samba incorrectly handled PAC parsing. On 32-bit systems, a remote attacker could use this issue to escalate privileges, or possibly execute arbitrary code. Joseph Sutton discovered that Samba could be forced to issue rc4-hmac encrypted Kerberos tickets. A remote attacker could possibly use this issue to escalate privileges. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. Florent Saudel discovered that Samba incorrectly handled certain Spotlight requests. A remote attacker could possibly use this issue to cause Samba to consume resources, leading to a denial of service.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-10-13 CVE Reserved
2022-11-15 CVE Published
2025-04-14 CVE Updated
2025-04-14 First Exploit
2025-06-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-190: Integer Overflow or Wraparound

CAPEC

References (13)

URL	Tag	Source
https://github.com/heimdal/heimdal/security/advisories/GHSA-64mq-fvfj-5x3c	Third Party Advisory
https://security.netapp.com/advisory/ntap-20230216-0008
https://security.netapp.com/advisory/ntap-20230223-0001
https://www.samba.org/samba/security/CVE-2022-42898.html	Third Party Advisory

URL	Date	SRC
https://bugzilla.samba.org/show_bug.cgi?id=15203	2025-04-14

URL	Date	SRC
https://github.com/krb5/krb5/commit/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583	2023-10-08

URL	Date	SRC
https://security.gentoo.org/glsa/202309-06	2023-10-08
https://security.gentoo.org/glsa/202310-06	2023-10-08
https://web.mit.edu/kerberos/advisories	2023-10-08
https://web.mit.edu/kerberos/krb5-1.19	2023-10-08
https://web.mit.edu/kerberos/krb5-1.20/README-1.20.1.txt	2023-10-08
https://access.redhat.com/security/cve/CVE-2022-42898	2022-12-14
https://bugzilla.redhat.com/show_bug.cgi?id=2140960	2022-12-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				>= 1.8 < 1.19.4 Search vendor "Mit" for product "Kerberos 5" and version " >= 1.8 < 1.19.4"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.20 Search vendor "Mit" for product "Kerberos 5" and version "1.20"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.20 Search vendor "Mit" for product "Kerberos 5" and version "1.20"		beta1		Affected
Heimdal Project Search vendor "Heimdal Project"		Heimdal Search vendor "Heimdal Project" for product "Heimdal"				< 7.7.1 Search vendor "Heimdal Project" for product "Heimdal" and version " < 7.7.1"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				< 4.15.12 Search vendor "Samba" for product "Samba" and version " < 4.15.12"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.16.0 < 4.16.7 Search vendor "Samba" for product "Samba" and version " >= 4.16.0 < 4.16.7"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.17.0 < 4.17.3 Search vendor "Samba" for product "Samba" and version " >= 4.17.0 < 4.17.3"		-		Affected