CVE-2023-3326
📋 TL;DR
CVE-2023-3326 is an authentication bypass vulnerability in pam_krb5 where the module fails to properly validate Kerberos ticket-granting tickets from the KDC when no keytab is provisioned. This allows attackers who control both password input and KDC responses to authenticate as any user on affected FreeBSD systems. Only non-default FreeBSD installations using pam_krb5 without keytabs are vulnerable.
💻 Affected Systems
- FreeBSD pam_krb5 module
📦 What is this software?
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via authentication bypass allowing attackers to gain unauthorized access as any user, potentially leading to privilege escalation and full system control.
Likely Case
Unauthorized access to systems using pam_krb5 authentication, potentially allowing attackers to access sensitive data or pivot to other systems.
If Mitigated
No impact if keytab is properly provisioned or pam_krb5 is not used for authentication.
🎯 Exploit Status
Exploitation requires the attacker to control both password input and KDC responses, which typically means they need to be in a position to intercept or manipulate Kerberos network traffic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches provided in FreeBSD-SA-23:04 and FreeBSD-SA-23:09 advisories
Vendor Advisory: https://security.FreeBSD.org/advisories/FreeBSD-SA-23:04.pam_krb5.asc
Restart Required: No
Instructions:
1. Update FreeBSD system to latest security patches. 2. Apply patches from FreeBSD-SA-23:04 and FreeBSD-SA-23:09. 3. Ensure pam_krb5 is updated. 4. No restart required for PAM module updates.
🔧 Temporary Workarounds
Provision Keytab
allEnsure a keytab is properly provisioned on the system to enable proper KDC response validation.
# Generate keytab: ktutil
# Add principal: add_entry -password -p user@REALM -k 1 -e aes256-cts-hmac-sha1-96
# Write keytab: wkt /etc/krb5.keytab
Disable pam_krb5
allRemove or disable pam_krb5 authentication if not required.
# Edit /etc/pam.d/system or relevant PAM configuration
# Comment out or remove pam_krb5.so lines
🧯 If You Can't Patch
- Provision a keytab on all systems using pam_krb5 authentication
- Implement network segmentation to protect KDC communications from interception
🔍 How to Verify
Check if Vulnerable:
Check if pam_krb5 is configured in PAM files and verify no keytab exists: grep pam_krb5 /etc/pam.d/* && test -f /etc/krb5.keytabCheck Version:
pkg info | grep pam_krb5Verify Fix Applied:
Verify pam_krb5 version is patched and keytab exists: pkg info | grep pam_krb5 && test -f /etc/krb5.keytab📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful authentication without proper KDC validation
- Unusual authentication patterns in /var/log/auth.log
Network Indicators:
- Unencrypted or manipulated Kerberos traffic to/from KDC
- Suspicious network traffic patterns during authentication
SIEM Query:
source="auth.log" (pam_krb5 AND success) NOT (keytab OR KDC_validation)🔗 References
- https://security.FreeBSD.org/advisories/FreeBSD-SA-23:04.pam_krb5.asc
- https://security.FreeBSD.org/advisories/FreeBSD-SA-23:09.pam_krb5.asc
- https://security.netapp.com/advisory/ntap-20230714-0005/
- https://security.FreeBSD.org/advisories/FreeBSD-SA-23:04.pam_krb5.asc
- https://security.FreeBSD.org/advisories/FreeBSD-SA-23:09.pam_krb5.asc
- https://security.netapp.com/advisory/ntap-20230714-0005/
