FreeBSD pam_krb5 Auth Bypass: Unvalidated TGT from KDC
CVE-2023-3326 Published on June 22, 2023
pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.
Weakness Type
Incorrect Implementation of Authentication Algorithm
The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. This incorrect implementation may allow authentication to be bypassed.
Products Associated with CVE-2023-3326
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-3326 are published in FreeBSD:
Affected Versions
FreeBSD:- Version 13.2-RELEASE and below 13.2-RELEASE-p1 is affected.
- Version 13.1-RELEASE and below 13.1-RELEASE-p8 is affected.
- Version 12.4-RELEASE and below 12.4-RELEASE-p3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.