CVE-2023-3326

EUVD-2023-43994

22.06.2023, 17:15

pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 62%

Affected Products (NVD)

Vendor	Product	Version
freebsd	freebsd	𝑥 < 12.4
freebsd	freebsd	13.0 ≤ 𝑥 < 13.1
freebsd	freebsd	12.4
freebsd	freebsd	12.4:p1
freebsd	freebsd	12.4:p2
freebsd	freebsd	12.4:rc2-p1
freebsd	freebsd	12.4:rc2-p2
freebsd	freebsd	13.1
freebsd	freebsd	13.1:b1-p1
freebsd	freebsd	13.1:b2-p2
freebsd	freebsd	13.1:p1
freebsd	freebsd	13.1:p2
freebsd	freebsd	13.1:p3
freebsd	freebsd	13.1:p4
freebsd	freebsd	13.1:p5
freebsd	freebsd	13.1:p6
freebsd	freebsd	13.1:p7
freebsd	freebsd	13.1:rc1-p1
freebsd	freebsd	13.2