cbcvebase.
CVE-2020-10595
published 2020-03-31

CVE-2020-10595: pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.78%
90.8th percentile
pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single '\0' byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option.

Affected

5 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianlibpam-krb5< libpam-krb5 4.9-1 (bookworm)libpam-krb5 4.9-1 (bookworm)
pam-krb5_projectpam-krb5< 4.94.9

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is only triggerable when the Kerberos library initiates supplemental prompting — monitor for PAM authentication sessions using pam-krb5 with PKINIT or the non-standard no_prompt configuration option, as these are the only code paths exposed to the overflow.
  • The attack vector requires an attacker to supply a response to a Kerberos-library-initiated prompt whose length exactly equals the size of the buffer provided by the Kerberos library, triggering a single null-byte write past the end of the buffer — look for unusually crafted prompt responses during PKINIT or no_prompt PAM flows.
  • Scope of exploitation is local per Debian security tracker classification; prioritize detection on systems where pam-krb5 < 4.9 is installed and PKINIT or no_prompt is configured.
  • ·Red Hat shipped pam_krb5 packages (from https://pagure.io/pam_krb5) are NOT affected by this CVE due to significant refactoring from the upstream eyrie.org sources; only pam-krb5 from https://www.eyrie.org/~eagle/software/pam-krb5/ versions before 4.9 are vulnerable.
  • ·Under normal PAM usage (password authentication without no_prompt or PKINIT), pam-krb5 never performs Kerberos-library-initiated prompting and is therefore not readily vulnerable — the attack surface is limited to non-standard configurations.
  • ·Exploitability is further constrained by memory layout: the single-byte overflow may land in allocator padding rather than an adjacent variable, depending on how MIT Kerberos manages memory.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.