CVE-2022-42898
Published: 25 December 2022
Summary
CVE-2022-42898 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Mit Kerberos 5. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-42898 is an integer overflow vulnerability in PAC parsing code within MIT Kerberos 5 (krb5) versions prior to 1.19.4 and 1.20.x prior to 1.20.1, specifically in the krb5_pac_parse function in lib/krb5/krb/pac.c. The flaw can produce a heap-based buffer overflow on 32-bit platforms that leads to remote code execution, while triggering denial of service on other platforms. A similar issue exists in Heimdal releases before 7.7.1. The vulnerability carries a CVSS 3.1 base score of 8.8 and is classified under CWE-190.
An authenticated attacker who can supply a crafted PAC structure to an affected KDC, kadmind process, or any GSS or Kerberos application server may trigger the overflow. Successful exploitation on 32-bit systems can result in arbitrary code execution with the privileges of the target service, while other platforms are limited to denial-of-service conditions.
Upstream fixes are documented in the krb5 commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583 and the corresponding Heimdal security advisory GHSA-64mq-fvfj-5x3c. Multiple distributions have published coordinated advisories, including Gentoo GLSA-202309-06 and GLSA-202310-06, that direct administrators to apply the patched krb5 or Heimdal packages. The EPSS score has remained flat at 0.1083 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-45956
Vulnerability details
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a…
more
resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.