CVE-2023-3326
Public on 2023-06-22
Modified on 2024-10-11
Description
In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.
CVE-2023-3326 is specific to systems using pam_krb5 without a keytab and where there is a malicious server or forged KDC response. pam_krb5 relies on the underlying default configuration of krb5 where verify_ap_req_nofail is set to false. Given that modifying this default configuration could break any existing deployments using unkeyed systems, and that the mitigation is to change the value for verify_ap_req_nofail to true, a fix will not be provided at this time for Amazon Linux 2.
CVE-2023-3326 is specific to systems using pam_krb5 without a keytab and where there is a malicious server or forged KDC response. pam_krb5 relies on the underlying default configuration of krb5 where verify_ap_req_nofail is set to false. Given that modifying this default configuration could break any existing deployments using unkeyed systems, and that the mitigation is to change the value for verify_ap_req_nofail to true, a fix will not be provided at this time for Amazon Linux 2.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | pam_krb5 | No Fix Planned | ||
| Amazon Linux 2 - Core | pam_krb5 | No Fix Planned |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N |
| NVD | CVSSv3 | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |