9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.2%
Problem Description:
pam_krb5 authenticates the user by essentially running kinit(1) with
the password, getting a `ticket-granting ticket’ (tgt) from the Kerberos
KDC (Key Distribution Center) over the network, as a way to verify the
password.
Normally, the system running the pam_krb5 module will also have a
keytab, a key provisioned by the KDC. The pam_krb5 module will use the
tgt to get a service ticket and validate it against the keytab, ensuring
the tgt is valid and therefore, the password is valid.
However, if a keytab is not provisioned on the system, pam_krb5 has
no way to validate the response from the KDC, and essentially trusts the
tgt provided over the network as being valid.
Impact:
In a non-default FreeBSD installation that leverages pam_krb5 for
authentication and does not have a keytab provisioned, an attacker that
is able to control both the password and the KDC responses can return a
valid tgt, allowing authentication to occur for any user on the
system.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.2%