USN-5675-1: Heimdal vulnerabilities

Publication date

13 October 2022

Overview

Several security issues were fixed in Heimdal.


Packages

  • heimdal - Heimdal Kerberos Network Authentication Protocol

Details

Isaac Boukris and Andrew Bartlett discovered that Heimdal's KDC was
not properly performing checksum algorithm verifications in the
S4U2Self extension module. An attacker could possibly use this issue
to perform a machine-in-the-middle attack and request S4U2Self
tickets for any user known by the application. This issue only
affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS.
(CVE-2018-16860)

It was discovered that Heimdal was not properly handling the
verification of key exchanges when an anonymous PKINIT was being
used. An attacker could possibly use this issue to perform a
machine-in-the-middle attack and expose sensitive information.
This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and
Ubuntu 18.04 LTS. (CVE-2019-12098)

Joseph Sutton discovered that Heimdal was not properly handling
memory management operations...

Isaac Boukris and Andrew Bartlett discovered that Heimdal's KDC was
not properly performing checksum algorithm verifications in the
S4U2Self extension module. An attacker could possibly use this issue
to perform a machine-in-the-middle attack and request S4U2Self
tickets for any user known by the application. This issue only
affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS.
(CVE-2018-16860)

It was discovered that Heimdal was not properly handling the
verification of key exchanges when an anonymous PKINIT was being
used. An attacker could possibly use this issue to perform a
machine-in-the-middle attack and expose sensitive information.
This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and
Ubuntu 18.04 LTS. (CVE-2019-12098)

Joseph Sutton discovered that Heimdal was not properly handling
memory management operations when dealing with TGS-REQ tickets that
were missing information. An attacker could possibly use this issue
to cause a denial of service. (CVE-2021-3671)

Michał Kępień discovered that Heimdal was not properly handling
logical conditions that related to memory management operations. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2022-3116)


Update instructions

After a standard system update you need to restart any application using Heimdal libraries to make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
20.04 focal libgssapi3-heimdal –  7.7.0+dfsg-1ubuntu1.1
heimdal-kcm –  7.7.0+dfsg-1ubuntu1.1
heimdal-kdc –  7.7.0+dfsg-1ubuntu1.1
libkdc2-heimdal –  7.7.0+dfsg-1ubuntu1.1
heimdal-servers –  7.7.0+dfsg-1ubuntu1.1
libkrb5-26-heimdal –  7.7.0+dfsg-1ubuntu1.1
heimdal-clients –  7.7.0+dfsg-1ubuntu1.1
18.04 bionic libgssapi3-heimdal –  7.5.0+dfsg-1ubuntu0.1
heimdal-kcm –  7.5.0+dfsg-1ubuntu0.1
heimdal-kdc –  7.5.0+dfsg-1ubuntu0.1
libkdc2-heimdal –  7.5.0+dfsg-1ubuntu0.1
heimdal-servers –  7.5.0+dfsg-1ubuntu0.1
libkrb5-26-heimdal –  7.5.0+dfsg-1ubuntu0.1
heimdal-clients –  7.5.0+dfsg-1ubuntu0.1
16.04 xenial libgssapi3-heimdal –  1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1  
heimdal-kcm –  1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1  
heimdal-kdc –  1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1  
libkdc2-heimdal –  1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1  
heimdal-servers –  1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1  
libkrb5-26-heimdal –  1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1  
heimdal-clients –  1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1  
14.04 trusty heimdal-servers-x –  1.6~git20131207+dfsg-1ubuntu1.2+esm1  
libgssapi3-heimdal –  1.6~git20131207+dfsg-1ubuntu1.2+esm1  
heimdal-kcm –  1.6~git20131207+dfsg-1ubuntu1.2+esm1  
heimdal-kdc –  1.6~git20131207+dfsg-1ubuntu1.2+esm1  
libkdc2-heimdal –  1.6~git20131207+dfsg-1ubuntu1.2+esm1  
heimdal-servers –  1.6~git20131207+dfsg-1ubuntu1.2+esm1  
heimdal-clients-x –  1.6~git20131207+dfsg-1ubuntu1.2+esm1  
libkrb5-26-heimdal –  1.6~git20131207+dfsg-1ubuntu1.2+esm1  
heimdal-clients –  1.6~git20131207+dfsg-1ubuntu1.2+esm1  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›