cbcvebase.
CVE-2023-3326
published 2023-06-22

CVE-2023-3326: pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.10%
61.5th percentile
pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianlibpam-krb5
freebsdfreebsd< 12.412.4
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd>= 12.4-RELEASE < 12.4-RELEASE-p312.4-RELEASE-p3
freebsdfreebsd>= 13.0 < 13.113.1
freebsdfreebsd>= 13.1-RELEASE < 13.1-RELEASE-p813.1-RELEASE-p8
freebsdfreebsd>= 13.2-RELEASE < 13.2-RELEASE-p113.2-RELEASE-p1

Detection & IOCsextracted from sources · hover to see the quote

  • Check for presence of /etc/krb5.conf on the system — its existence indicates Kerberos is configured, which is a prerequisite for the vulnerable code path to be reachable.
  • Audit PAM configuration files under /etc/pam.d for uncommented pam_krb5 entries — an active pam_krb5 line without a keytab present is the exploitable condition.
  • Verify whether a keytab file is provisioned on the system. Absence of a keytab while pam_krb5 is active means the system cannot validate KDC responses and is vulnerable.
  • Monitor for rogue or unexpected KDC responses on the network (AS-REP / TGT issuance) combined with successful PAM authentication events on FreeBSD hosts that lack a keytab — this pattern indicates exploitation.
  • ·pam_krb5 is disabled (commented out) in the default FreeBSD PAM configuration; the vulnerability only affects non-default installations where pam_krb5 has been explicitly enabled.
  • ·GSSAPI-based Kerberos authentication is NOT affected; only password-based pam_krb5 authentication is vulnerable.
  • ·The initial patch from FreeBSD-SA-23:04.pam_krb5 did not fully resolve the issue; FreeBSD-SA-23:09.pam_krb5 was required as a follow-up fix. Ensure the later correction (dated 2023-08-01) is applied.
  • ·Debian (bookworm, bullseye, sid, trixie, forky) also tracks this CVE as open, meaning non-FreeBSD systems using pam_krb5 without a keytab may also be affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.