{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/730793#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.\r\n\r\n### Description\r\n\r\n**CVE-2022-3116**\r\nA flawed logical condition in lib/gssapi/spnego/accept_sec_context.c allows a malicious actor to remotely trigger a NULL pointer dereference using a crafted negTokenInit token.\r\n\r\n### Impact\r\nAn attacker can use a specially crafted network packet to cause a vulnerable application to crash.\r\n### Solution\r\nThe latest version of code in the Heimdal master branch fixes the issue. However, the current stable release 7.7.0 does not include the fix. \r\n\r\n### Acknowledgements\r\nThanks to Internet Systems Consortium for reporting the vulnerability.\r\n\r\nThis document was written by Kevin Stephens.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"No F5 products or services use the affected Heimdal functionality.","title":"Vendor statment from F5 Networks"},{"category":"other","text":"We do not use Heimdal in base illumos for our GSSAPI, nor in any base SmartOS or Triton pkgsrc packages.  (Optional pkgsrc packages may be affected, but these are on a per package basis.)  Because the report's conditions state:\r\n\r\n> It is believed that any binary which fulfills both of the following\r\nconditions:\r\n\r\n> - it is linked to an affected version of the Heimdal libgssapi library\r\n> - it allows SPNEGO to be used\r\n\r\n> is vulnerable to the attack described below.\r\n\r\nSmartOS and Triton should not be affected. SmartOS users should contact security@illumos.org if they notice GSSAPI issues (as they would be with illumos), however.","title":"Vendor statment from Joyent"},{"category":"other","text":"Verified Heimdal not used by Intel.","title":"Vendor statment from Intel"},{"category":"other","text":"Per Samba's bugzilla https://bugzilla.samba.org/show_bug.cgi?id=15204\r\n\r\nhttps://samba-team.gitlab.io/samba/third_party/heimdal/lib/gssapi/spnego/index.html shows we don't run the Heimdal SPNEGO code.\r\n\r\nSamba doesn't use Heimdal for SPNEGO, we handle the SPNEGO in GENSEC, not in Heimdal.","title":"Vendor statment from Samba"},{"category":"other","text":"Cradlepoint conducted a review of their offerings and the lib/gssapi/spnego/accept_sec_context.c library is not used in any of our products.","title":"Vendor statment from Cradlepoint"},{"category":"other","text":"Digi’s platforms, infrastructure, and or services disallows kerberos/gssapi authentication from any available service and does not appear vulnerable to this exploit.","title":"Vendor statment from Digi International"},{"category":"other","text":"No Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.","title":"Vendor statment from Brocade Communication Systems"},{"category":"other","text":"Heimdal is not in use in dd-wrt. In contrary to openwrt, dd-wrt uses ksmbd instead of samba4.","title":"Vendor statment from dd-wrt"},{"category":"other","text":"Code not used in our RTOS","title":"Vendor statment from eCosCentric"},{"category":"other","text":"Heimdal ist not in use within our products or our organisation.","title":"Vendor statment from AVM GmbH"},{"category":"other","text":"Though HardenedBSD is affected, it is not possible to create a memory allocation at the 0 (NULL) address in HardenedBSD. Thus, at its worst, this bug will crash the application.","title":"Vendor statment from HardenedBSD"},{"category":"other","text":"We do not distribute the code for gssapi spnego","title":"Vendor statment from Check Point"},{"category":"other","text":"SUSE is not shipping the heimdal krb5 implementation.","title":"Vendor statment from SUSE Linux"},{"category":"other","text":"We do not use Heimdal in base illumos for our GSSAPI.  Because the report's conditions state:\r\n\r\n> It is believed that any binary which fulfills both of the following\r\nconditions:\r\n\r\n> - it is linked to an affected version of the Heimdal libgssapi library\r\n> - it allows SPNEGO to be used\r\n\r\n> is vulnerable to the attack described below.\r\n\r\nillumos should not be affected. illumos users should contact security@illumos.org if they notice GSSAPI issues, however.","title":"Vendor statment from Illumos"},{"category":"other","text":"Muonics does not use Heimdal in any of its products and thus this vulnerability is not applicable.","title":"Vendor statment from Muonics Inc."},{"category":"other","text":"DT is not reusing heimdal code in our branded products and is not affected.","title":"Vendor statment from Deutsche Telekom"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/730793"},{"url":"https://my.f5.com/manage/s/article/K000135352","summary":"Reference(s) from vendor \"F5 Networks\""},{"url":"https://bugzilla.samba.org/show_bug.cgi?id=15204","summary":"Reference(s) from vendor \"Samba\""},{"url":"https://github.com/heimdal/heimdal/commit/7a19658c1f4fc4adf85bb7bea96caae5ba57b33e","summary":"Reference(s) from vendor \"Heimdal Kerberos Project\""}],"title":"Heimdal Kerberos vulnerable to remotely triggered NULL pointer dereference","tracking":{"current_release_date":"2023-07-13T17:43:08+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#730793","initial_release_date":"2022-10-07 19:24:58.139750+00:00","revision_history":[{"date":"2023-07-13T17:43:08+00:00","number":"1.20230713174308.6","summary":"Released on 2023-07-13T17:43:08+00:00"}],"status":"final","version":"1.20230713174308.6"}},"vulnerabilities":[{"title":"A flawed logical condition in lib/gssapi/spnego/accept_sec_context.","notes":[{"category":"summary","text":"A flawed logical condition in lib/gssapi/spnego/accept_sec_context.c allows a malicious actor to remotely trigger a NULL pointer dereference using a crafted negTokenInit token."}],"cve":"CVE-2022-3116","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#730793"}],"product_status":{"known_affected":["CSAFPID-c44e5e0a-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45a71cc-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45aab60-3a70-11f1-a172-0afffb3ee71d"],"known_not_affected":["CSAFPID-c44d5eb0-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c44df35c-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c44ebd28-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c44f06de-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c44f3ba4-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c4513d46-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c451b776-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c4528fac-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c452e056-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c4533ae2-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45400da-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c4548140-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c454c092-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c4552c76-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c4557fc8-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c455c80c-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c456cb4e-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c4570e1a-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c4575be0-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c4578f52-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c4584a46-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c458d060-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c4590878-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c4594040-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45976b4-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45a0778-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45a3e8c-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45aecb0-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45b419c-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45b78a6-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45bccf2-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45c04c4-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45c3d40-3a70-11f1-a172-0afffb3ee71d","CSAFPID-c45c8a2a-3a70-11f1-a172-0afffb3ee71d"]}}],"product_tree":{"branches":[{"category":"vendor","name":"F5 Networks","product":{"name":"F5 Networks Products","product_id":"CSAFPID-c44d5eb0-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"D-Link Systems Inc.","product":{"name":"D-Link Systems Inc. Products","product_id":"CSAFPID-c44df35c-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Heimdal Kerberos Project","product":{"name":"Heimdal Kerberos Project Products","product_id":"CSAFPID-c44e5e0a-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Brocade Communication Systems","product":{"name":"Brocade Communication Systems Products","product_id":"CSAFPID-c44ebd28-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Samba","product":{"name":"Samba Products","product_id":"CSAFPID-c44f06de-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Digi International","product":{"name":"Digi International Products","product_id":"CSAFPID-c44f3ba4-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"National Cyber Security Center Netherlands","product":{"name":"National Cyber Security Center Netherlands Products","product_id":"CSAFPID-c44f70d8-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"dd-wrt","product":{"name":"dd-wrt Products","product_id":"CSAFPID-c4513d46-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Cradlepoint","product":{"name":"Cradlepoint Products","product_id":"CSAFPID-c451b776-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"LANCOM Systems GmbH","product":{"name":"LANCOM Systems GmbH Products","product_id":"CSAFPID-c4528fac-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"NetComm Wireless Limited","product":{"name":"NetComm Wireless Limited Products","product_id":"CSAFPID-c452e056-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Peplink","product":{"name":"Peplink Products","product_id":"CSAFPID-c4533ae2-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Internet Initiative Japan Inc.","product":{"name":"Internet Initiative Japan Inc. Products","product_id":"CSAFPID-c45400da-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Advantech Czech","product":{"name":"Advantech Czech Products","product_id":"CSAFPID-c4548140-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Zyxel","product":{"name":"Zyxel Products","product_id":"CSAFPID-c454c092-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"McAfee","product":{"name":"McAfee Products","product_id":"CSAFPID-c4552c76-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Paessler","product":{"name":"Paessler Products","product_id":"CSAFPID-c4557fc8-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"netsnmp","product":{"name":"netsnmp Products","product_id":"CSAFPID-c455c80c-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Zebra Technologies","product":{"name":"Zebra Technologies Products","product_id":"CSAFPID-c456803a-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Belden","product":{"name":"Belden Products","product_id":"CSAFPID-c456cb4e-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Sierra Wireless","product":{"name":"Sierra Wireless Products","product_id":"CSAFPID-c4570e1a-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"lwIP","product":{"name":"lwIP Products","product_id":"CSAFPID-c4575be0-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Barracuda Networks","product":{"name":"Barracuda Networks Products","product_id":"CSAFPID-c4578f52-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Phoenix Contact","product":{"name":"Phoenix Contact Products","product_id":"CSAFPID-c457ffbe-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Miredo","product":{"name":"Miredo Products","product_id":"CSAFPID-c4584a46-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Akamai Technologies Inc.","product":{"name":"Akamai Technologies Inc. Products","product_id":"CSAFPID-c4588876-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-c458d060-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Hewlett Packard Enterprise","product":{"name":"Hewlett Packard Enterprise Products","product_id":"CSAFPID-c4590878-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Treck","product":{"name":"Treck Products","product_id":"CSAFPID-c4594040-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-c45976b4-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-c459c114-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"eCosCentric","product":{"name":"eCosCentric Products","product_id":"CSAFPID-c45a0778-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"AVM GmbH","product":{"name":"AVM GmbH Products","product_id":"CSAFPID-c45a3e8c-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"HardenedBSD","product":{"name":"HardenedBSD Products","product_id":"CSAFPID-c45a71cc-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"FreeBSD","product":{"name":"FreeBSD Products","product_id":"CSAFPID-c45aab60-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Check Point","product":{"name":"Check Point Products","product_id":"CSAFPID-c45aecb0-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"SUSE Linux","product":{"name":"SUSE Linux Products","product_id":"CSAFPID-c45b419c-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Illumos","product":{"name":"Illumos Products","product_id":"CSAFPID-c45b78a6-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Muonics Inc.","product":{"name":"Muonics Inc. Products","product_id":"CSAFPID-c45bccf2-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Joyent","product":{"name":"Joyent Products","product_id":"CSAFPID-c45c04c4-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Aruba Networks","product":{"name":"Aruba Networks Products","product_id":"CSAFPID-c45c3d40-3a70-11f1-a172-0afffb3ee71d"}},{"category":"vendor","name":"Deutsche Telekom","product":{"name":"Deutsche Telekom Products","product_id":"CSAFPID-c45c8a2a-3a70-11f1-a172-0afffb3ee71d"}}]}}