Vulnerability Details : CVE-2022-45142
The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.
Products affected by CVE-2022-45142
- cpe:2.3:a:heimdal_project:heimdal:7.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:heimdal_project:heimdal:7.7.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-45142
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-45142
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-45142
-
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2022-45142
-
https://www.openwall.com/lists/oss-security/2023/02/08/1
oss-security - [vs] heimdal: CVE-2022-45142: signature validation failureMailing List
-
https://security.gentoo.org/glsa/202310-06
Heimdal: Multiple Vulnerabilities (GLSA 202310-06) — Gentoo security
Jump to