CVE-2022-45142 - How a Simple Patch Broke Heimdal’s Security Checks

CVE-2022-45142 is a reminder of how even basic software fixes can sometimes introduce dangerous new bugs. In this post, we'll break down what went wrong with Heimdal Kerberos' GSSAPI MIC (Message Integrity Code) validation after some backported patches, show real code snippets, reference the source commits, and offer a step-by-step look at the vulnerability, including how it could be exploited.

Background

Earlier, CVE-2022-3437 addressed an issue in Heimdal’s GSSAPI code where memcmp was used in a way that wasn’t constant time—opening the door to timing attacks. The fix replaced that call with a constant time compare function, and, due to a compiler bug, added explicit "!= " comparisons to ensure correct logic.

But when maintainers backported these patches to Heimdal versions 7.7.1, 7.8., and possibly others, a critical mistake crept in: Logic inversion. Suddenly, Heimdal’s code started doing the opposite of what it was supposed to—accepting messages with invalid integrity codes and rejecting valid ones.

Where It Happened

The bug sits in the arcfour checksum verification code inside Heimdal’s GSSAPI library (lib/gssapi/krb5/arcfour.c).

Here’s the related fragment from a vulnerable version (simplified for clarity)

if (ct_memcmp(mic, mymic, 16) != ) {
    ret = GSS_S_BAD_SIG;
}

This line intends to compare the received MIC (mic) and the calculated MIC (mymic) in *constant time*. If they’re NOT equal, it sets the return code to signal a bad signature.

But, due to the botched backport, the logic was sometimes inverted to

if (ct_memcmp(mic, mymic, 16) == ) {
    ret = GSS_S_BAD_SIG;
}

Now, if mic matches mymic (that is, the message is valid), it returns an error. If they're different (the message is invalid or tampered), it *passes* the check!

Related patches and commit links

- Fix for CVE-2022-3437 (original)
- Problematic backport (example)
- CVE-2022-45142 advisory

How the Bug Could Be Exploited

Because the signature check was accidentally flipped, an attacker could send any message with a garbage (or empty) MIC, and Heimdal would mistakenly accept it as authentic. Here’s a typical attack path:

1. Attacker sends a tampered message through a GSSAPI-protected Kerberos channel, using an invalid MIC or no MIC at all.

Heimdal checks the MIC using the broken logic.

3. The memcmp returns != (since the MIC is different), so the branch is *not* taken, and the message is considered *valid* instead of being rejected.

This allows an attacker to bypass message integrity checks, potentially injecting, altering, or replaying messages within a session that should be protected by Kerberos.

Exploit Example

Suppose you're crafting a Python proof-of-concept using the impacket toolkit, which allows tweaking Kerberos authentication flows.

Pseudocode

from impacket.krb5 import GSSAPI

gss = GSSAPI(target_service)
gss.init_sec_context()

# Send a message with an *invalid* MIC (or none at all)
tampered_message = b"\x00" * 16  # Garbage MIC

response = gss.send_message(data="malicious data", mic=tampered_message)

# On a vulnerable server, this message would be wrongly accepted.

> Note: Actual network-level exploitation would require protocol-level message crafting and replay attacks, likely best demonstrated in a C or Python PoC.

How to Check If You're Vulnerable

- Review your Heimdal version. Versions 7.7.1, 7.8., and other branches with the problematic patch are at risk.
- Look at the source code: ensure any comparisons of memcmp or ct_memcmp results are correct (should use != for *failure*).

The solution is simple: Restore the original logic. The patch is to change

if (ct_memcmp(mic, mymic, 16) == ) {  // Wrong!
    ret = GSS_S_BAD_SIG;
}

back to

if (ct_memcmp(mic, mymic, 16) != ) {  // Correct
    ret = GSS_S_BAD_SIG;
}

You can see the fix in

- Heimdal master commit
- Release notes and advisories

Compiler workarounds ("!= ") are tricky but necessary in some environments.

- Always audit validation logic with unit tests and protocol fuzzing after any fix, especially for core crypto checks.

References

- Official Heimdal Security Advisory (GHSA-34w2-j9v6-4p6c)
- Patch for CVE-2022-3437 in Heimdal
- Heimdal source code on GitHub
- impacket toolkit - Kerberos for hackers


Bottom line: If you use Heimdal Kerberos, *double-check your GSSAPI integrity checks today*. Tiny code mistakes can let attackers slip right past your defenses.

Timeline

Published on: 03/06/2023 23:15:00 UTC
Last modified on: 03/13/2023 18:02:00 UTC