CVE-2022-42898

Name of the Vulnerable Software and Affected Versions MIT Kerberos 5 versions prior to 1.19.4 and 1.20.x prior to 1.20.1 Heimdal versions prior to 7.7.1 Samba versions prior to 4.15.12, 4.16.7, and 4.17.3

Description The issue is related to integer overflows in the PAC parsing in MIT Kerberos 5 and Heimdal, which may lead to remote code execution on 32-bit platforms and cause a denial of service on other platforms. This occurs in the krb5 pac parse function in lib/krb5/krb/pac.c. The vulnerability can be exploited by sending a specially crafted request to a KDC server, allowing an authenticated attacker to overflow a buffer with controlled data. Successful exploitation can lead to denial of service or remote code execution.

Recommendations For MIT Kerberos 5 versions prior to 1.19.4 and 1.20.x prior to 1.20.1, update to version 1.19.4 or 1.20.1 or later. For Heimdal versions prior to 7.7.1, update to version 7.7.1 or later. For Samba versions prior to 4.15.12, 4.16.7, and 4.17.3, update to version 4.15.12, 4.16.7, or 4.17.3 or later. As a temporary workaround, consider restricting access to the KDC server and limiting the use of the krb5 pac parse function until a patch is available.