FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Network authentication attack via pam_krb5

Affected packages
13.2 <= FreeBSD < 13.2_1
13.1 <= FreeBSD < 13.1_8
12.4 <= FreeBSD < 12.4_3

Details

VuXML ID 41af0277-47bf-11ee-8e38-002590c1f29c
Discovery 2023-06-21
Entry 2023-08-31

Problem Description:

pam_krb5 authenticates the user by essentially running kinit(1) with the password, getting a `ticket-granting ticket' (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password.

Normally, the system running the pam_krb5 module will also have a keytab, a key provisioned by the KDC. The pam_krb5 module will use the tgt to get a service ticket and validate it against the keytab, ensuring the tgt is valid and therefore, the password is valid.

However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid.

Impact:

In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.

References

CVE Name CVE-2023-3326
FreeBSD Advisory SA-23:04.pam_krb5