Isaac Boukris and Andrew Bartlett discovered that Heimdal’s KDC was
not properly performing checksum algorithm verifications in the
S4U2Self extension module. An attacker could possibly use this issue
to perform a machine-in-the-middle attack and request S4U2Self
tickets for any user known by the application. This issue only
affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS.
(CVE-2018-16860)
It was discovered that Heimdal was not properly handling the
verification of key exchanges when an anonymous PKINIT was being
used. An attacker could possibly use this issue to perform a
machine-in-the-middle attack and expose sensitive information.
This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and
Ubuntu 18.04 LTS. (CVE-2019-12098)
Joseph Sutton discovered that Heimdal was not properly handling
memory management operations when dealing with TGS-REQ tickets that
were missing information. An attacker could possibly use this issue
to cause a denial of service. (CVE-2021-3671)
Michał Kępień discovered that Heimdal was not properly handling
logical conditions that related to memory management operations. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2022-3116)