FreeBSD Project patches Critical Vulnerability in FreeBSD Kerberos 5 implementation

FreeBSD project has reported a patched critical vulnerability in the Kerberos 5 implementation of FreeBSD.

The vulnerability is reported as CVE-2023-3326 - with CVSS3 score of 9.8 - vulnerability in the pam_krb5 module used for user authentication in FreeBSD. If a system using pam_krb5 does not have a keytab file provisioned, an attacker who controls both the password and the Kerberos Key Distribution Center (KDC) responses can authenticate as any user on the system by returning a valid ticket-granting ticket (tgt).

In simple terms

1. There is a system called Kerberos that helps with user authentication. When you want to log in to a computer system, you usually need to provide a username and password to prove that you are the correct user.

2. One way Kerberos verifies your password is by using a special ticket called a ticket-granting ticket (TGT). This TGT is obtained from a central server called the Key Distribution Center (KDC) over the network. When you enter your password, a program called pam_krb5 runs a command called kinit with your password to get the TGT from the KDC.

3. Usually, there is a file called a keytab on the computer system. This keytab helps pam_krb5 validate the TGT received from the KDC. It acts like a secret key that confirms the TGT is legitimate. However, in some cases, the computer system doesn't have a keytab provisioned. This means that pam_krb5 doesn't have a way to check if the TGT received from the KDC is valid or not.

4. If an attacker can control both the password and the KDC responses, they can trick pam_krb5 into accepting a fake or unauthorized TGT as valid.

5. In a non-default FreeBSD installation that uses pam_krb5 for authentication but doesn't have a keytab, this vulnerability can allow the attacker to authenticate as any user on the system by providing a fake TGT.

Impacted versions

All supported versions of FreeBSD

Fixed versions

• 2023-06-21 05:25:18 UTC (stable/13, 13.2-STABLE)
• 2023-06-21 05:27:12 UTC (releng/13.2, 13.2-RELEASE-p1)
• 2023-06-21 05:27:22 UTC (releng/13.1, 13.1-RELEASE-p8)
• 2023-06-21 05:27:27 UTC (stable/12, 12.4-STABLE)
• 2023-06-21 05:43:39 UTC (releng/12.4, 12.4-RELEASE-p3)

Solution and Workaround

To address this issue, upgrade your vulnerable FreeBSD system to a supported stable or release/security branch (releng) that is dated after the correction date. This will ensure that the necessary security fixes have been applied to your system.

If you do not use Kerberos at all, make sure that the /etc/krb5.conf file is not present on your system. Additionally, ensure that the pam_krb5 configuration is commented out in the PAM configuration file (usually located at /etc/pam.d, as documented in pam.conf(5)). It's worth noting that the default FreeBSD PAM configuration already has pam_krb5 commented out.

If you use Kerberos but do not use pam_krb5, ensure that the pam_krb5 configuration is commented out in your PAM configuration file (/etc/pam.d).

If you use pam_krb5, make sure that you have a keytab on your system, which should be provided by your Kerberos administrator.