|
On my system,
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Kerberos.framework/Headers/krb5.h
says
"Copyright 1989,1990,1995,2001, 2003,
2007 by the Massachusetts Institute of Technology."
and FindKERBEROS.cmake detects it as
MIT Kerberos, not Heimdal. It might be Heimdal on the inside, but
it looks very much like MIT on the outside.
Should we go ahead and remove Heimdal
support? I think it's effectively dead code at this point.
On 4/17/26 7:05 AM, John Thacker wrote:
Hi
Kundan Kumar,
Wireshark
4.0.17 was the last release on the 4.0 branch, which is past
its official end of service date and is not receiving security
updates. If you are concerned about security, you should
update to a supported version, either on the 4.4 or 4.6
branch, as there are CVEs related to Wireshark code present in
Wireshark 4.0.17 and fixed in later versions. Some Linux
distributions, such as Debian bookworm (the "oldstable"
release), continue to package 4.0.17, and it is the
distribution's responsibility to apply any security fixes.
As
far as the flavor of Kerberos, for macOS releases Heimdal
Kerberos is used as that is what is built in to the OS, for
Windows releases MIT Kerberos is used, and for Linux
distributions it depends on which flavor the distribution uses
to build, as both can be supported. While for instance Debian
has packages for both Heimdal and MIT Kerberos, I believe
their Wireshark packages are built against MIT Kerberos.
Therefore it's not possible to answer your questions without
knowing the platform on which you are running Wireshark, as
the answer may differ, nor is anyone likely to take the time
to research the answer to the question about a version which
has been out of support since August 2024.
Cheers,
John
Thacker
Hi Wireshark Team,
Our vulnerability scanner has flagged 10 Heimdal Kerberos
CVEs against Wireshark 4.0.17 by scanning
libwireshark.so.16.0.17. We need your guidance on their
applicability.
CVEs flagged:
CVE ID CVSS Description
------------------------------------------------------------
CVE-2022-44640 9.8 Heimdal ASN.1 codec RCE (invalid free)
CVE-2022-42898 8.8 Heimdal PAC parsing integer overflow RCE/DoS
CVE-2017-11103 7.4 Heimdal Orpheus' Lyre Kerberos impersonation
CVE-2018-16860 7.5 Heimdal KDC principal MITM
CVE-2019-12098 7.4 Heimdal PKINIT key exchange MITM
CVE-2017-6594 7.5 Heimdal transit path validation bypass
CVE-2017-17439 7.5 Heimdal KDC NULL pointer deref DoS
CVE-2021-44758 7.5 Heimdal SPNEGO NULL pointer deref DoS
CVE-2022-3116 7.5 Heimdal NULL pointer deref DoS
CVE-2022-41916 7.5 Heimdal PKI cert validation DoS
Our questions:
-
Which version of Heimdal Kerberos does Wireshark
4.0.17 bundle or use internally?
-
Do any of these 10 CVEs affect Wireshark 4.0.17?
-
If yes, which Wireshark version should we upgrade
to for the fix?
-
If no, can you confirm why?
Thank you for your time.
Best regards,
Kundan Kumar
_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx
_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx
|