CVE-2020-10595
published 2020-03-31CVE-2020-10595: pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.78%
90.8th percentile
pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single '\0' byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libpam-krb5 | < libpam-krb5 4.9-1 (bookworm) | libpam-krb5 4.9-1 (bookworm) |
| pam-krb5_project | pam-krb5 | < 4.9 | 4.9 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is only triggerable when the Kerberos library initiates supplemental prompting — monitor for PAM authentication sessions using pam-krb5 with PKINIT or the non-standard no_prompt configuration option, as these are the only code paths exposed to the overflow. ↗
- →The attack vector requires an attacker to supply a response to a Kerberos-library-initiated prompt whose length exactly equals the size of the buffer provided by the Kerberos library, triggering a single null-byte write past the end of the buffer — look for unusually crafted prompt responses during PKINIT or no_prompt PAM flows. ↗
- →Scope of exploitation is local per Debian security tracker classification; prioritize detection on systems where pam-krb5 < 4.9 is installed and PKINIT or no_prompt is configured. ↗
- ·Red Hat shipped pam_krb5 packages (from https://pagure.io/pam_krb5) are NOT affected by this CVE due to significant refactoring from the upstream eyrie.org sources; only pam-krb5 from https://www.eyrie.org/~eagle/software/pam-krb5/ versions before 4.9 are vulnerable. ↗
- ·Under normal PAM usage (password authentication without no_prompt or PKINIT), pam-krb5 never performs Kerberos-library-initiated prompting and is therefore not readily vulnerable — the attack surface is limited to non-standard configurations. ↗
- ·Exploitability is further constrained by memory layout: the single-byte overflow may land in allocator padding rather than an adjacent variable, depending on how MIT Kerberos manages memory. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
pam_krb5: incorrect input handling results in single byte buffer overflow which may lead to heap corruption
vendor_redhat·2020-03-31·CVSS 9.8
CVE-2020-10595 [CRITICAL] CWE-20 pam_krb5: incorrect input handling results in single byte buffer overflow which may lead to heap corruption
pam_krb5: incorrect input handling results in single byte buffer overflow which may lead to heap corruption
pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single '\0' byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM
Ubuntu
pam-krb5 vulnerability
vendor_ubuntu·2020-03-31
CVE-2020-10595 pam-krb5 vulnerability
Title: pam-krb5 vulnerability
Summary: pam-krb5 could be made to execute arbitrary code if it received a specially
crafted response.
Russ Allbery discovered that pam-krb5 incorrectly handled some responses.
An attacker could possibly use this issue to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2020-10595: libpam-krb5 - pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution...
vendor_debian·2020·CVSS 9.8
CVE-2020-10595 [CRITICAL] CVE-2020-10595: libpam-krb5 - pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution...
pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single '\0' byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option.
Scope: local
bookworm: resolved (fixed in 4.9-1)
bullseye: resolved (fixed in 4.9-1)
fo
GHSA
GHSA-63wp-w3mg-whpq: pam-krb5 before 4
ghsa_unreviewed·2022-05-24
CVE-2020-10595 [HIGH] GHSA-63wp-w3mg-whpq: pam-krb5 before 4
pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single '\0' byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option.
OSV
CVE-2020-10595: pam-krb5 before 4
osv·2020-03-31·CVSS 9.8
CVE-2020-10595 [CRITICAL] CVE-2020-10595: pam-krb5 before 4
pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single '\0' byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option.
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2020/03/31/1https://github.com/rra/pam-krb5/commit/e7879e27a37119fad4faf133a9f70bdcdc75d760https://lists.debian.org/debian-lts-announce/2020/04/msg00000.htmlhttps://usn.ubuntu.com/4314-1/https://www.debian.org/security/2020/dsa-4648https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.htmlhttp://www.openwall.com/lists/oss-security/2020/03/31/1https://github.com/rra/pam-krb5/commit/e7879e27a37119fad4faf133a9f70bdcdc75d760https://lists.debian.org/debian-lts-announce/2020/04/msg00000.htmlhttps://usn.ubuntu.com/4314-1/https://www.debian.org/security/2020/dsa-4648https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.html
2020-03-31
Published