{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/730793#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.\r\n\r\n### Description\r\n\r\n**CVE-2022-3116**\r\nA flawed logical condition in lib/gssapi/spnego/accept_sec_context.c allows a malicious actor to remotely trigger a NULL pointer dereference using a crafted negTokenInit token.\r\n\r\n### Impact\r\nAn attacker can use a specially crafted network packet to cause a vulnerable application to crash.\r\n### Solution\r\nThe latest version of code in the Heimdal master branch fixes the issue. However, the current stable release 7.7.0 does not include the fix. \r\n\r\n### Acknowledgements\r\nThanks to Internet Systems Consortium for reporting the vulnerability.\r\n\r\nThis document was written by Kevin Stephens.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"No F5 products or services use the affected Heimdal functionality.","title":"Vendor statment from F5 Networks"},{"category":"other","text":"We do not use Heimdal in base illumos for our GSSAPI, nor in any base SmartOS or Triton pkgsrc packages.  (Optional pkgsrc packages may be affected, but these are on a per package basis.)  Because the report's conditions state:\r\n\r\n> It is believed that any binary which fulfills both of the following\r\nconditions:\r\n\r\n> - it is linked to an affected version of the Heimdal libgssapi library\r\n> - it allows SPNEGO to be used\r\n\r\n> is vulnerable to the attack described below.\r\n\r\nSmartOS and Triton should not be affected. SmartOS users should contact security@illumos.org if they notice GSSAPI issues (as they would be with illumos), however.","title":"Vendor statment from Joyent"},{"category":"other","text":"Verified Heimdal not used by Intel.","title":"Vendor statment from Intel"},{"category":"other","text":"Per Samba's bugzilla https://bugzilla.samba.org/show_bug.cgi?id=15204\r\n\r\nhttps://samba-team.gitlab.io/samba/third_party/heimdal/lib/gssapi/spnego/index.html shows we don't run the Heimdal SPNEGO code.\r\n\r\nSamba doesn't use Heimdal for SPNEGO, we handle the SPNEGO in GENSEC, not in Heimdal.","title":"Vendor statment from Samba"},{"category":"other","text":"Cradlepoint conducted a review of their offerings and the lib/gssapi/spnego/accept_sec_context.c library is not used in any of our products.","title":"Vendor statment from Cradlepoint"},{"category":"other","text":"Digi’s platforms, infrastructure, and or services disallows kerberos/gssapi authentication from any available service and does not appear vulnerable to this exploit.","title":"Vendor statment from Digi International"},{"category":"other","text":"No Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.","title":"Vendor statment from Brocade Communication Systems"},{"category":"other","text":"Heimdal is not in use in dd-wrt. In contrary to openwrt, dd-wrt uses ksmbd instead of samba4.","title":"Vendor statment from dd-wrt"},{"category":"other","text":"Code not used in our RTOS","title":"Vendor statment from eCosCentric"},{"category":"other","text":"Heimdal ist not in use within our products or our organisation.","title":"Vendor statment from AVM GmbH"},{"category":"other","text":"Though HardenedBSD is affected, it is not possible to create a memory allocation at the 0 (NULL) address in HardenedBSD. Thus, at its worst, this bug will crash the application.","title":"Vendor statment from HardenedBSD"},{"category":"other","text":"We do not distribute the code for gssapi spnego","title":"Vendor statment from Check Point"},{"category":"other","text":"SUSE is not shipping the heimdal krb5 implementation.","title":"Vendor statment from SUSE Linux"},{"category":"other","text":"We do not use Heimdal in base illumos for our GSSAPI.  Because the report's conditions state:\r\n\r\n> It is believed that any binary which fulfills both of the following\r\nconditions:\r\n\r\n> - it is linked to an affected version of the Heimdal libgssapi library\r\n> - it allows SPNEGO to be used\r\n\r\n> is vulnerable to the attack described below.\r\n\r\nillumos should not be affected. illumos users should contact security@illumos.org if they notice GSSAPI issues, however.","title":"Vendor statment from Illumos"},{"category":"other","text":"Muonics does not use Heimdal in any of its products and thus this vulnerability is not applicable.","title":"Vendor statment from Muonics Inc."},{"category":"other","text":"DT is not reusing heimdal code in our branded products and is not affected.","title":"Vendor statment from Deutsche Telekom"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/730793"},{"url":"https://my.f5.com/manage/s/article/K000135352","summary":"Reference(s) from vendor \"F5 Networks\""},{"url":"https://bugzilla.samba.org/show_bug.cgi?id=15204","summary":"Reference(s) from vendor \"Samba\""},{"url":"https://github.com/heimdal/heimdal/commit/7a19658c1f4fc4adf85bb7bea96caae5ba57b33e","summary":"Reference(s) from vendor \"Heimdal Kerberos Project\""}],"title":"Heimdal Kerberos vulnerable to remotely triggered NULL pointer dereference","tracking":{"current_release_date":"2023-07-13T17:43:08+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#730793","initial_release_date":"2022-10-07 19:24:58.139750+00:00","revision_history":[{"date":"2023-07-13T17:43:08+00:00","number":"1.20230713174308.6","summary":"Released on 2023-07-13T17:43:08+00:00"}],"status":"final","version":"1.20230713174308.6"}},"vulnerabilities":[{"title":"A flawed logical condition in lib/gssapi/spnego/accept_sec_context.","notes":[{"category":"summary","text":"A flawed logical condition in lib/gssapi/spnego/accept_sec_context.c allows a malicious actor to remotely trigger a NULL pointer dereference using a crafted negTokenInit token."}],"cve":"CVE-2022-3116","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#730793"}],"product_status":{"known_affected":["CSAFPID-cfa5bd16-394e-11f1-8422-122e2785dc9f","CSAFPID-cfaca4b4-394e-11f1-8422-122e2785dc9f","CSAFPID-cface906-394e-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-cfa53d46-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa56eec-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa60b18-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa63dd6-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa69ae2-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa6fd8e-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa73ae2-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa771f6-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa7af90-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa7d7fe-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa809d6-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa83244-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa87100-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa89f9a-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa8d096-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa90c46-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa9868a-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa9c8b6-394e-11f1-8422-122e2785dc9f","CSAFPID-cfa9faac-394e-11f1-8422-122e2785dc9f","CSAFPID-cfaa5042-394e-11f1-8422-122e2785dc9f","CSAFPID-cfaab05a-394e-11f1-8422-122e2785dc9f","CSAFPID-cfab29d6-394e-11f1-8422-122e2785dc9f","CSAFPID-cfab6874-394e-11f1-8422-122e2785dc9f","CSAFPID-cfaba000-394e-11f1-8422-122e2785dc9f","CSAFPID-cfabd6c4-394e-11f1-8422-122e2785dc9f","CSAFPID-cfac3f7e-394e-11f1-8422-122e2785dc9f","CSAFPID-cfac7156-394e-11f1-8422-122e2785dc9f","CSAFPID-cfad3a14-394e-11f1-8422-122e2785dc9f","CSAFPID-cfad9108-394e-11f1-8422-122e2785dc9f","CSAFPID-cfadcccc-394e-11f1-8422-122e2785dc9f","CSAFPID-cfae0eee-394e-11f1-8422-122e2785dc9f","CSAFPID-cfae5cfa-394e-11f1-8422-122e2785dc9f","CSAFPID-cfaeade0-394e-11f1-8422-122e2785dc9f","CSAFPID-cfaeefbc-394e-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"F5 Networks","product":{"name":"F5 Networks Products","product_id":"CSAFPID-cfa53d46-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"D-Link Systems Inc.","product":{"name":"D-Link Systems Inc. Products","product_id":"CSAFPID-cfa56eec-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Heimdal Kerberos Project","product":{"name":"Heimdal Kerberos Project Products","product_id":"CSAFPID-cfa5bd16-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Brocade Communication Systems","product":{"name":"Brocade Communication Systems Products","product_id":"CSAFPID-cfa60b18-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Samba","product":{"name":"Samba Products","product_id":"CSAFPID-cfa63dd6-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Digi International","product":{"name":"Digi International Products","product_id":"CSAFPID-cfa69ae2-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"National Cyber Security Center Netherlands","product":{"name":"National Cyber Security Center Netherlands Products","product_id":"CSAFPID-cfa6c45e-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"dd-wrt","product":{"name":"dd-wrt Products","product_id":"CSAFPID-cfa6fd8e-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cradlepoint","product":{"name":"Cradlepoint Products","product_id":"CSAFPID-cfa73ae2-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"LANCOM Systems GmbH","product":{"name":"LANCOM Systems GmbH Products","product_id":"CSAFPID-cfa771f6-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NetComm Wireless Limited","product":{"name":"NetComm Wireless Limited Products","product_id":"CSAFPID-cfa7af90-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Peplink","product":{"name":"Peplink Products","product_id":"CSAFPID-cfa7d7fe-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Internet Initiative Japan Inc.","product":{"name":"Internet Initiative Japan Inc. Products","product_id":"CSAFPID-cfa809d6-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Advantech Czech","product":{"name":"Advantech Czech Products","product_id":"CSAFPID-cfa83244-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Zyxel","product":{"name":"Zyxel Products","product_id":"CSAFPID-cfa87100-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"McAfee","product":{"name":"McAfee Products","product_id":"CSAFPID-cfa89f9a-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Paessler","product":{"name":"Paessler Products","product_id":"CSAFPID-cfa8d096-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"netsnmp","product":{"name":"netsnmp Products","product_id":"CSAFPID-cfa90c46-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Zebra Technologies","product":{"name":"Zebra Technologies Products","product_id":"CSAFPID-cfa94ff8-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Belden","product":{"name":"Belden Products","product_id":"CSAFPID-cfa9868a-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Sierra Wireless","product":{"name":"Sierra Wireless Products","product_id":"CSAFPID-cfa9c8b6-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"lwIP","product":{"name":"lwIP Products","product_id":"CSAFPID-cfa9faac-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Barracuda Networks","product":{"name":"Barracuda Networks Products","product_id":"CSAFPID-cfaa5042-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Phoenix Contact","product":{"name":"Phoenix Contact Products","product_id":"CSAFPID-cfaa85b2-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Miredo","product":{"name":"Miredo Products","product_id":"CSAFPID-cfaab05a-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Akamai Technologies Inc.","product":{"name":"Akamai Technologies Inc. Products","product_id":"CSAFPID-cfaae688-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-cfab29d6-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Hewlett Packard Enterprise","product":{"name":"Hewlett Packard Enterprise Products","product_id":"CSAFPID-cfab6874-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Treck","product":{"name":"Treck Products","product_id":"CSAFPID-cfaba000-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-cfabd6c4-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-cfac1030-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"eCosCentric","product":{"name":"eCosCentric Products","product_id":"CSAFPID-cfac3f7e-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AVM GmbH","product":{"name":"AVM GmbH Products","product_id":"CSAFPID-cfac7156-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"HardenedBSD","product":{"name":"HardenedBSD Products","product_id":"CSAFPID-cfaca4b4-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"FreeBSD","product":{"name":"FreeBSD Products","product_id":"CSAFPID-cface906-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Check Point","product":{"name":"Check Point Products","product_id":"CSAFPID-cfad3a14-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SUSE Linux","product":{"name":"SUSE Linux Products","product_id":"CSAFPID-cfad9108-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Illumos","product":{"name":"Illumos Products","product_id":"CSAFPID-cfadcccc-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Muonics Inc.","product":{"name":"Muonics Inc. Products","product_id":"CSAFPID-cfae0eee-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Joyent","product":{"name":"Joyent Products","product_id":"CSAFPID-cfae5cfa-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Aruba Networks","product":{"name":"Aruba Networks Products","product_id":"CSAFPID-cfaeade0-394e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Deutsche Telekom","product":{"name":"Deutsche Telekom Products","product_id":"CSAFPID-cfaeefbc-394e-11f1-8422-122e2785dc9f"}}]}}