CVE Vulnerabilities

CVE-2022-45142

Improper Validation of Integrity Check Value

Published: Mar 06, 2023 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding != 0 comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.

Weakness

The product does not validate or incorrectly validates the integrity check values or “checksums” of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

Affected Software

Name Vendor Start Version End Version
Heimdal Heimdal_project 7.7.1 (including) 7.7.1 (including)
Heimdal Heimdal_project 7.8.0 (including) 7.8.0 (including)
Heimdal Ubuntu bionic *
Heimdal Ubuntu devel *
Heimdal Ubuntu esm-apps/noble *
Heimdal Ubuntu esm-infra/xenial *
Heimdal Ubuntu focal *
Heimdal Ubuntu kinetic *
Heimdal Ubuntu lunar *
Heimdal Ubuntu mantic *
Heimdal Ubuntu noble *
Heimdal Ubuntu oracular *
Heimdal Ubuntu trusty *
Heimdal Ubuntu trusty/esm *
Heimdal Ubuntu xenial *

Potential Mitigations

References