CVE-2023-3326
published 2023-06-22CVE-2023-3326: pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.10%
61.5th percentile
pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libpam-krb5 | — | — |
| freebsd | freebsd | < 12.4 | 12.4 |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | >= 12.4-RELEASE < 12.4-RELEASE-p3 | 12.4-RELEASE-p3 |
| freebsd | freebsd | >= 13.0 < 13.1 | 13.1 |
| freebsd | freebsd | >= 13.1-RELEASE < 13.1-RELEASE-p8 | 13.1-RELEASE-p8 |
| freebsd | freebsd | >= 13.2-RELEASE < 13.2-RELEASE-p1 | 13.2-RELEASE-p1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Check for presence of /etc/krb5.conf on the system — its existence indicates Kerberos is configured, which is a prerequisite for the vulnerable code path to be reachable. ↗
- →Audit PAM configuration files under /etc/pam.d for uncommented pam_krb5 entries — an active pam_krb5 line without a keytab present is the exploitable condition. ↗
- →Verify whether a keytab file is provisioned on the system. Absence of a keytab while pam_krb5 is active means the system cannot validate KDC responses and is vulnerable. ↗
- →Monitor for rogue or unexpected KDC responses on the network (AS-REP / TGT issuance) combined with successful PAM authentication events on FreeBSD hosts that lack a keytab — this pattern indicates exploitation. ↗
- ·pam_krb5 is disabled (commented out) in the default FreeBSD PAM configuration; the vulnerability only affects non-default installations where pam_krb5 has been explicitly enabled. ↗
- ·GSSAPI-based Kerberos authentication is NOT affected; only password-based pam_krb5 authentication is vulnerable. ↗
- ·The initial patch from FreeBSD-SA-23:04.pam_krb5 did not fully resolve the issue; FreeBSD-SA-23:09.pam_krb5 was required as a follow-up fix. Ensure the later correction (dated 2023-08-01) is applied. ↗
- ·Debian (bookworm, bullseye, sid, trixie, forky) also tracks this CVE as open, meaning non-FreeBSD systems using pam_krb5 without a keytab may also be affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vjhp-527w-c5vj: pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distri
ghsa_unreviewed·2023-06-22
CVE-2023-3326 [CRITICAL] CWE-287 GHSA-vjhp-527w-c5vj: pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distri
pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.
OSV
CVE-2023-3326: pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distri
osv·2023-06-22·CVSS 9.8
CVE-2023-3326 [CRITICAL] CVE-2023-3326: pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distri
pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.
BSD
FreeBSD-SA-23:09.pam_krb5: Network authentication attack via pam_krb5
bsd_advisories·2023-08-01·CVSS 9.8
CVE-2023-3326 [CRITICAL] FreeBSD-SA-23:09.pam_krb5: Network authentication attack via pam_krb5
FreeBSD-SA-23:09.pam_krb5 Security Advisory
The FreeBSD Project
Topic: Network authentication attack via pam_krb5
Category: core
Module: pam_krb5
Announced: 2023-08-01
Affects: All supported versions of FreeBSD
Corrected: 2023-07-08 05:44:29 UTC (stable/13, 13.2-STABLE)
2023-08-01 19:50:30 UTC (releng/13.2, 13.2-RELEASE-p2)
2023-08-01 19:48:09 UTC (releng/13.1, 13.1-RELEASE-p9)
2023-07-08 05:44:51 UTC (stable/12, 12.4-STABLE)
2023-08-01 19:46:53 UTC (releng/12.4, 12.4-RELEASE-p4)
CVE Name: CVE-2023-3326
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Kerberos 5 (krb5) is a computer-network authentication protocol that works on
the basis of tickets to a
BSD
FreeBSD-SA-23:04.pam_krb5: Network authentication attack via pam_krb5
bsd_advisories·2023-06-21·CVSS 9.8
CVE-2023-3326 [CRITICAL] FreeBSD-SA-23:04.pam_krb5: Network authentication attack via pam_krb5
FreeBSD-SA-23:04.pam_krb5 Security Advisory
The FreeBSD Project
Topic: Network authentication attack via pam_krb5
Category: core
Module: pam_krb5
Announced: 2023-06-21
Credits: Taylor R Campbell
Affects: All supported versions of FreeBSD
Corrected: 2023-06-21 05:25:18 UTC (stable/13, 13.2-STABLE)
2023-06-21 05:27:12 UTC (releng/13.2, 13.2-RELEASE-p1)
2023-06-21 05:27:22 UTC (releng/13.1, 13.1-RELEASE-p8)
2023-06-21 05:27:27 UTC (stable/12, 12.4-STABLE)
2023-06-21 05:43:39 UTC (releng/12.4, 12.4-RELEASE-p3)
CVE Name: CVE-2023-3326
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
Note: This advisory has been supplemented by FreeBSD-SA-23:09.pam_krb5.
Please refer to
htt
Debian
CVE-2023-3326: libpam-krb5 - pam_krb5 authenticates a user by essentially running kinit with the password, ge...
vendor_debian·2023·CVSS 9.8
CVE-2023-3326 [CRITICAL] CVE-2023-3326: libpam-krb5 - pam_krb5 authenticates a user by essentially running kinit with the password, ge...
pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. However, if a keytab is not provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. In a non-default FreeBSD installation that leverages pam_krb5 for authentication and does not have a keytab provisioned, an attacker that is able to control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://security.FreeBSD.org/advisories/FreeBSD-SA-23:04.pam_krb5.aschttps://security.FreeBSD.org/advisories/FreeBSD-SA-23:09.pam_krb5.aschttps://security.netapp.com/advisory/ntap-20230714-0005/https://security.FreeBSD.org/advisories/FreeBSD-SA-23:04.pam_krb5.aschttps://security.FreeBSD.org/advisories/FreeBSD-SA-23:09.pam_krb5.aschttps://security.netapp.com/advisory/ntap-20230714-0005/
2023-06-22
Published