CVE-2020-10595
📋 TL;DR
CVE-2020-10595 is a buffer overflow vulnerability in pam-krb5 authentication module that could allow remote code execution when attackers respond to supplemental Kerberos prompts with carefully crafted input. This affects systems using pam-krb5 before version 4.9 with non-standard configurations that trigger supplemental prompting. The vulnerability is particularly dangerous because it has a CVSS score of 9.8, indicating critical severity.
💻 Affected Systems
- pam-krb5
📦 What is this software?
Pam Krb5 by Pam Krb5 Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with root privileges leading to complete system compromise, data theft, and persistent backdoor installation.
Likely Case
Heap or stack corruption causing service crashes, denial of service, or potential code execution depending on Kerberos library implementation.
If Mitigated
Limited to denial of service if exploit attempts are detected and blocked, or if vulnerable configurations are not in use.
🎯 Exploit Status
Exploitation requires specific configuration conditions and careful timing of responses to prompts. The vulnerability is in a less commonly used code path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9 and later
Vendor Advisory: https://www.debian.org/security/2020/dsa-4648
Restart Required: Yes
Instructions:
1. Update pam-krb5 package to version 4.9 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade pam-krb5. 3. Restart affected services using PAM authentication.
🔧 Temporary Workarounds
Disable supplemental prompting
linuxRemove or disable PKINIT and no_prompt configurations to avoid triggering the vulnerable code path.
# Edit PAM configuration files to remove PKINIT and no_prompt options
# Check /etc/pam.d/ and /etc/krb5.conf for relevant configurations
🧯 If You Can't Patch
- Implement network segmentation to isolate systems using vulnerable pam-krb5 configurations
- Deploy intrusion detection systems to monitor for buffer overflow attempts and anomalous authentication patterns
🔍 How to Verify
Check if Vulnerable:
Check pam-krb5 version: dpkg -l | grep pam-krb5 or rpm -qa | grep pam-krb5. If version is below 4.9 and supplemental prompting is configured, system is vulnerable.Check Version:
dpkg -l | grep pam-krb5 || rpm -qa | grep pam-krb5 || find /usr/lib* -name '*pam_krb5*' -exec strings {} \; | grep -i versionVerify Fix Applied:
Verify pam-krb5 version is 4.9 or higher: dpkg -l | grep pam-krb5 | grep '^ii.*4.9' or equivalent for your package manager.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with unusual response lengths
- PAM authentication errors mentioning buffer issues
- Kerberos library crashes or segmentation faults
Network Indicators:
- Unusual authentication traffic patterns to Kerberos services
- Multiple failed authentication attempts with varying response sizes
SIEM Query:
source="auth.log" AND ("pam_krb5" OR "kerberos") AND ("buffer" OR "overflow" OR "segmentation fault")🔗 References
- http://www.openwall.com/lists/oss-security/2020/03/31/1
- https://github.com/rra/pam-krb5/commit/e7879e27a37119fad4faf133a9f70bdcdc75d760
- https://lists.debian.org/debian-lts-announce/2020/04/msg00000.html
- https://usn.ubuntu.com/4314-1/
- https://www.debian.org/security/2020/dsa-4648
- https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.html
- http://www.openwall.com/lists/oss-security/2020/03/31/1
- https://github.com/rra/pam-krb5/commit/e7879e27a37119fad4faf133a9f70bdcdc75d760
- https://lists.debian.org/debian-lts-announce/2020/04/msg00000.html
- https://usn.ubuntu.com/4314-1/
- https://www.debian.org/security/2020/dsa-4648
- https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.html
