CVE-2020-10595

EUVD-2020-3044

31.03.2020, 13:15

pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single '\0' byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option.

Classic Buffer Overflow

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 91%

Affected Products (NVD)

Vendor	Product	Version
pam-krb5_project	pam-krb5	𝑥 < 4.9
debian	debian_linux	8.0
debian	debian_linux	9.0
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libpam-krb5

bookworm	4.11-1 fixed
bullseye	4.9-2 fixed
sid	4.11-2 fixed
trixie	4.11-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

libpam-krb5

bionic	Fixed 4.8-1ubuntu0.1 released
eoan	Fixed 4.8-2ubuntu0.1 released
trusty	Fixed 4.6-2ubuntu0.1~esm1 released
xenial	Fixed 4.7-2ubuntu0.1 released

Common Weakness Enumeration

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

References

http://www.openwall.com/lists/oss-security/2020/03/31/1

https://github.com/rra/pam-krb5/commit/e7879e27a37119fad4faf133a9f70bdcdc75d760

https://lists.debian.org/debian-lts-announce/2020/04/msg00000.html

https://usn.ubuntu.com/4314-1/

https://www.debian.org/security/2020/dsa-4648

https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.html

http://www.openwall.com/lists/oss-security/2020/03/31/1

https://github.com/rra/pam-krb5/commit/e7879e27a37119fad4faf133a9f70bdcdc75d760

https://lists.debian.org/debian-lts-announce/2020/04/msg00000.html

https://usn.ubuntu.com/4314-1/

https://www.debian.org/security/2020/dsa-4648

https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.html