| Name | CVE-2023-3326 |
| Description | pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libpam-krb5 (PTS) | jessie, jessie (lts) | 4.6-3+deb8u1 | vulnerable |
| stretch (security), stretch (lts), stretch | 4.7-4+deb9u1 | vulnerable | |
| buster (security), buster, buster (lts) | 4.8-2+deb10u1 | vulnerable | |
| bullseye | 4.9-2 | vulnerable | |
| bookworm | 4.11-1 | vulnerable | |
| sid, trixie | 4.11-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libpam-krb5 | source | (unstable) | (unfixed) | unimportant |
Documented shortcoming of Linux pam-krb
https://www.openwall.com/lists/oss-security/2023/06/22/2