CVE-2022-41916 - Critical Denial of Service Vulnerability Found in Heimdal's PKI Certificate Validation Library

A critical denial of service (DoS) vulnerability (CVE-2022-41916) has been discovered in Heimdal, a widely used implementation of ASN.1/DER, PKIX, and Kerberos. This vulnerability affects Heimdal's PKI certificate validation library, impacting the KDC (via PKINIT) and kinit (via PKINIT), as well as any third-party applications using Heimdal's libhx509. Users are strongly advised to upgrade to Heimdal 7.7.1 or 7.8 to mitigate this issue. Currently, there are no known workarounds.

CVSS Score: 7.5 (High)

- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

The vulnerability is caused by a flaw in the ASN.1/DER parsing code while handling invalid certificates, specifically when processing invalid Relative Distinguished Names (RDNs) in the X.509 certificate's Subject and Issuer fields. This vulnerability can be exploited by an unauthenticated attacker, who can send a specially crafted PKI certificate to the affected components. This, in turn, can lead to a denial of service, causing the impacted system to crash.

Here's an example of a malformed certificate to demonstrate the vulnerability

-----BEGIN CERTIFICATE-----
MIIDBTCCAe2gAwIBAgIJANrJYm8ARZOFMAGCSqGSIb3DQEBCwUAMBUxEzARBgNV
%Invalid_RDN_Payload_Here%
FAsTZXNLmNvbTAeFwyMTAzMzEyMTU3MzBaFwzMTAzMjkxNTU3MzBaMBUxEzAR
BgNVBAMMCioudGVzdC5jb20wggEiMAGCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDQVX%Payload_Continues%
-----END CERTIFICATE-----

An attacker can create a malicious certificate with invalid RDNs and send it to the target system to exploit the vulnerability. Note that the above code is a simplified example for illustration purposes only and not a complete exploit.

Affected Versions

Heimdal versions prior to 7.7.1 are affected by this vulnerability.

Fix and Recommendations

The Heimdal team has released updates to address this vulnerability. Users are strongly recommended to:

1. Upgrade their Heimdal installation to version 7.7.1 or 7.8, available from the official website: https://www.heimdal.kf2.su.se/

2. Review and verify any third-party applications that rely on Heimdal's libhx509 library for certificate processing to ensure they are not affected by this vulnerability.

As mentioned earlier, there are no known workarounds for this issue.

Original References

- CVE-2022-41916: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41916

- Heimdal Security Advisory: https://github.com/heimdal/heimdal/security/advisories/GHSA-2qp9-hpgg-mqr9

- NVD Vulnerability Details: https://nvd.nist.gov/vuln/detail/CVE-2022-41916

In conclusion, CVE-2022-41916 is a severe denial of service vulnerability in Heimdal, affecting the PKI certificate validation library. Users should immediately upgrade their Heimdal installations and verify any related third-party applications to protect against potential attacks exploiting this vulnerability.

Timeline

Published on: 11/15/2022 23:15:00 UTC
Last modified on: 02/16/2023 14:15:00 UTC