CVE-2022-42898: 
NixOS vulnerability analysis and mitigation

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms, and cause a denial of service on other platforms. The vulnerability was discovered in late 2022 and affects the krb5pacparse function in lib/krb5/krb/pac.c. Heimdal before 7.7.1 was also found to have a similar vulnerability (MIT Krb5 Commit, Samba Advisory).

The vulnerability stems from integer multiplication overflow when calculating how many bytes to allocate for a buffer for the parsed PAC. On 32-bit systems, an overflow allows placement of 16-byte chunks of entirely attacker-controlled data, resulting in a heap-based buffer overflow. The server most vulnerable is the KDC, as it will parse an attacker-controlled PAC in the S4U2Proxy handler. The issue occurs specifically in the krb5pacparse function in lib/krb5/krb/pac.c (Samba Advisory, MIT Krb5 Commit).

The impact varies depending on the platform architecture. On 32-bit platforms, the vulnerability could lead to remote code execution in KDC, kadmind, or GSS/Kerberos application server processes. On other platforms, it primarily results in a denial of service condition. The vulnerability is particularly severe for KDC servers as they process attacker-controlled PACs in S4U2Proxy handlers. Secondary risk exists for Kerberos-enabled file server installations in non-AD realms (Samba Advisory, NVD).

The vulnerability has been fixed in MIT Kerberos 5 version 1.19.4 and 1.20.1, and Heimdal version 7.7.1. For 32-bit systems running as an AD DC, there is no workaround other than upgrading. File servers are only impacted if they are in a non-AD domain. 64-bit systems are not exploitable through this vulnerability. Organizations should upgrade to the patched versions as soon as possible (Samba Advisory, MIT Krb5 Release).