fkie_cve-2023-3326
Vulnerability from fkie_nvd
Published
2023-06-22 17:15
Modified
2024-11-21 08:17
Severity ?
Summary
pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freebsd | freebsd | * | |
| freebsd | freebsd | * | |
| freebsd | freebsd | 12.4 | |
| freebsd | freebsd | 12.4 | |
| freebsd | freebsd | 12.4 | |
| freebsd | freebsd | 12.4 | |
| freebsd | freebsd | 12.4 | |
| freebsd | freebsd | 13.1 | |
| freebsd | freebsd | 13.1 | |
| freebsd | freebsd | 13.1 | |
| freebsd | freebsd | 13.1 | |
| freebsd | freebsd | 13.1 | |
| freebsd | freebsd | 13.1 | |
| freebsd | freebsd | 13.1 | |
| freebsd | freebsd | 13.1 | |
| freebsd | freebsd | 13.1 | |
| freebsd | freebsd | 13.1 | |
| freebsd | freebsd | 13.1 | |
| freebsd | freebsd | 13.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7F6C8B0-9D75-476C-ADBA-754416FBC186",
"versionEndExcluding": "12.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D79AAEBE-0D5A-4C9C-95FD-6287A53EE1C0",
"versionEndExcluding": "13.1",
"versionStartIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:-:*:*:*:*:*:*",
"matchCriteriaId": "24920B4D-96C0-401F-B679-BEB086760EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p1:*:*:*:*:*:*",
"matchCriteriaId": "3CE32730-A9F5-4E8D-BDA4-6B8232F84787",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p2:*:*:*:*:*:*",
"matchCriteriaId": "552E81DE-D409-475F-8ED0-E10A0BE43D29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:rc2-p1:*:*:*:*:*:*",
"matchCriteriaId": "BA821886-B26B-47A6-ABC9-B8F70CE0ACFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:rc2-p2:*:*:*:*:*:*",
"matchCriteriaId": "220629AD-32CC-4303-86AE-1DD27F0E4C65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:-:*:*:*:*:*:*",
"matchCriteriaId": "DEEE6D52-27E4-438D-AE8D-7141320B5973",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:b1-p1:*:*:*:*:*:*",
"matchCriteriaId": "66364EA4-83B1-4597-8C18-D5633B361A9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:b2-p2:*:*:*:*:*:*",
"matchCriteriaId": "EF9292DD-EFB1-4B50-A941-7485D901489F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:p1:*:*:*:*:*:*",
"matchCriteriaId": "EFB18F55-4F5C-4166-9A7E-6F6617179A90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:p2:*:*:*:*:*:*",
"matchCriteriaId": "66E1C269-841F-489A-9A0A-5D145B417E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:p3:*:*:*:*:*:*",
"matchCriteriaId": "ECF1B567-F764-45F5-A793-BEA93720F952",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:p4:*:*:*:*:*:*",
"matchCriteriaId": "DAFE3F33-2C57-4B52-B658-82572607BD8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:p5:*:*:*:*:*:*",
"matchCriteriaId": "C925DF75-2785-44BD-91CA-66D29C296689",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:p6:*:*:*:*:*:*",
"matchCriteriaId": "BCE2DAEC-81A5-49E9-B7E7-4F143FA6B3F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:p7:*:*:*:*:*:*",
"matchCriteriaId": "7725D503-1437-4F90-B30C-007193D5F0E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.1:rc1-p1:*:*:*:*:*:*",
"matchCriteriaId": "B536EE52-ED49-4A85-BC9D-A27828D5A961",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:-:*:*:*:*:*:*",
"matchCriteriaId": "A87EFA20-DD6B-41C5-98FD-A29F67D2E732",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.\n"
}
],
"id": "CVE-2023-3326",
"lastModified": "2024-11-21T08:17:01.307",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-22T17:15:44.833",
"references": [
{
"source": "secteam@freebsd.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:04.pam_krb5.asc"
},
{
"source": "secteam@freebsd.org",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:09.pam_krb5.asc"
},
{
"source": "secteam@freebsd.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20230714-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:04.pam_krb5.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:09.pam_krb5.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20230714-0005/"
}
],
"sourceIdentifier": "secteam@freebsd.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-303"
}
],
"source": "secteam@freebsd.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…