USN-5675-1: Heimdal vulnerabilities
13 October 2022
Several security issues were fixed in Heimdal.
Releases
Packages
- heimdal - Heimdal Kerberos Network Authentication Protocol
Details
Isaac Boukris and Andrew Bartlett discovered that Heimdal's KDC was
not properly performing checksum algorithm verifications in the
S4U2Self extension module. An attacker could possibly use this issue
to perform a machine-in-the-middle attack and request S4U2Self
tickets for any user known by the application. This issue only
affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS.
(CVE-2018-16860)
It was discovered that Heimdal was not properly handling the
verification of key exchanges when an anonymous PKINIT was being
used. An attacker could possibly use this issue to perform a
machine-in-the-middle attack and expose sensitive information.
This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and
Ubuntu 18.04 LTS. (CVE-2019-12098)
Joseph Sutton discovered that Heimdal was not properly handling
memory management operations when dealing with TGS-REQ tickets that
were missing information. An attacker could possibly use this issue
to cause a denial of service. (CVE-2021-3671)
Michał Kępień discovered that Heimdal was not properly handling
logical conditions that related to memory management operations. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2022-3116)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04
-
libgssapi3-heimdal
-
7.7.0+dfsg-1ubuntu1.1
-
heimdal-kcm
-
7.7.0+dfsg-1ubuntu1.1
-
heimdal-kdc
-
7.7.0+dfsg-1ubuntu1.1
-
libkdc2-heimdal
-
7.7.0+dfsg-1ubuntu1.1
-
heimdal-servers
-
7.7.0+dfsg-1ubuntu1.1
-
libkrb5-26-heimdal
-
7.7.0+dfsg-1ubuntu1.1
-
heimdal-clients
-
7.7.0+dfsg-1ubuntu1.1
Ubuntu 18.04
-
libgssapi3-heimdal
-
7.5.0+dfsg-1ubuntu0.1
-
heimdal-kcm
-
7.5.0+dfsg-1ubuntu0.1
-
heimdal-kdc
-
7.5.0+dfsg-1ubuntu0.1
-
libkdc2-heimdal
-
7.5.0+dfsg-1ubuntu0.1
-
heimdal-servers
-
7.5.0+dfsg-1ubuntu0.1
-
libkrb5-26-heimdal
-
7.5.0+dfsg-1ubuntu0.1
-
heimdal-clients
-
7.5.0+dfsg-1ubuntu0.1
Ubuntu 16.04
-
libgssapi3-heimdal
-
1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1
Available with Ubuntu Pro
-
heimdal-kcm
-
1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1
Available with Ubuntu Pro
-
heimdal-kdc
-
1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1
Available with Ubuntu Pro
-
libkdc2-heimdal
-
1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1
Available with Ubuntu Pro
-
heimdal-servers
-
1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1
Available with Ubuntu Pro
-
libkrb5-26-heimdal
-
1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1
Available with Ubuntu Pro
-
heimdal-clients
-
1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1
Available with Ubuntu Pro
Ubuntu 14.04
-
heimdal-servers-x
-
1.6~git20131207+dfsg-1ubuntu1.2+esm1
Available with Ubuntu Pro
-
libgssapi3-heimdal
-
1.6~git20131207+dfsg-1ubuntu1.2+esm1
Available with Ubuntu Pro
-
heimdal-kcm
-
1.6~git20131207+dfsg-1ubuntu1.2+esm1
Available with Ubuntu Pro
-
heimdal-kdc
-
1.6~git20131207+dfsg-1ubuntu1.2+esm1
Available with Ubuntu Pro
-
libkdc2-heimdal
-
1.6~git20131207+dfsg-1ubuntu1.2+esm1
Available with Ubuntu Pro
-
heimdal-servers
-
1.6~git20131207+dfsg-1ubuntu1.2+esm1
Available with Ubuntu Pro
-
heimdal-clients-x
-
1.6~git20131207+dfsg-1ubuntu1.2+esm1
Available with Ubuntu Pro
-
libkrb5-26-heimdal
-
1.6~git20131207+dfsg-1ubuntu1.2+esm1
Available with Ubuntu Pro
-
heimdal-clients
-
1.6~git20131207+dfsg-1ubuntu1.2+esm1
Available with Ubuntu Pro
After a standard system update you need to restart any application
using Heimdal libraries to make all the necessary changes.
References
Related notices
- USN-3976-1: samba, smbclient, samba-libs, libsmbclient, python3-samba, samba-dsdb-modules, samba-testsuite, registry-tools, winbind, samba-common, libparse-pidl-perl, libpam-winbind, ctdb, libwbclient-dev, samba-vfs-modules, python-samba, libsmbclient-dev, samba-common-bin, samba-dev, libwbclient0, libnss-winbind
- USN-3976-2: samba, smbclient, samba-libs, swat, libsmbclient, libsmbsharemodes-dev, samba-dsdb-modules, samba-testsuite, registry-tools, winbind, samba-common, libparse-pidl-perl, libpam-winbind, samba-tools, samba-doc, libwbclient-dev, libsmbsharemodes0, samba-vfs-modules, libpam-smbpass, python-samba, libsmbclient-dev, samba-dev, libnss-winbind, libwbclient0, samba-doc-pdf, samba-common-bin
- USN-5142-1: samba, smbclient, samba-libs, libsmbclient, python3-samba, samba-dsdb-modules, samba-testsuite, registry-tools, winbind, samba-common, libpam-winbind, ctdb, libwbclient-dev, samba-vfs-modules, libsmbclient-dev, samba-common-bin, samba-dev, libwbclient0, libnss-winbind
- USN-5174-1: samba, smbclient, samba-libs, libsmbclient, samba-dsdb-modules, samba-testsuite, registry-tools, winbind, samba-common, libparse-pidl-perl, libpam-winbind, ctdb, libwbclient-dev, samba-vfs-modules, python-samba, libsmbclient-dev, samba-common-bin, samba-dev, libwbclient0, libnss-winbind