FreeBSD Security Advisory FreeBSD-SA-23:09.pam_krb5

From: FreeBSD Security Advisories <security-advisories_at_freebsd.org>
Date: Tue, 01 Aug 2023 21:38:22 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-23:09.pam_krb5                                   Security Advisory
                                                          The FreeBSD Project

Topic:          Network authentication attack via pam_krb5

Category:       core
Module:         pam_krb5
Announced:      2023-08-01
Affects:        All supported versions of FreeBSD
Corrected:      2023-07-08 05:44:29 UTC (stable/13, 13.2-STABLE)
                2023-08-01 19:50:30 UTC (releng/13.2, 13.2-RELEASE-p2)
                2023-08-01 19:48:09 UTC (releng/13.1, 13.1-RELEASE-p9)
                2023-07-08 05:44:51 UTC (stable/12, 12.4-STABLE)
                2023-08-01 19:46:53 UTC (releng/12.4, 12.4-RELEASE-p4)
CVE Name:       CVE-2023-3326

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

Kerberos 5 (krb5) is a computer-network authentication protocol that works on
the basis of tickets to allow nodes communicating over a non-secure network
to prove their identity to one another in a secure manner.

The PAM (Pluggable Authentication Modules) library provides a flexible
framework for user authentication and session setup / teardown.

pam_krb5 is a PAM module that allows using a Kerberos password to
authenticate the user. pam_krb5 is disabled in the default FreeBSD
installation.

pam_krb5 uses passwords for authentication, which is distinct from
Kerberos native protocols like GSSAPI, which allows for login without the
exchange of passwords. GSSAPI is not affected by this issue.

II.  Problem Description

The problem detailed in FreeBSD-SA-23:04.pam_krb5 persisted following
the patch for that advisory.

III. Impact

The impact described in FreeBSD-SA-23:04.pam_krb5 persists.

IV.  Workaround

If you are not using Kerberos at all, ensure /etc/krb5.conf is missing from
your system. Additionally, ensure pam_krb5 is commented out of your PAM
configuration located as documented in pam.conf(5), generally /etc/pam.d.
Note, the default FreeBSD PAM configuration has pam_krb5 commented out.

If you are using Kerberos, but not using pam_krb5, ensure pam_krb5 is
commented out of your PAM configuration located as documented in pam.conf(5),
generally /etc/pam.d. Note, the default FreeBSD PAM configuration has
pam_krb5 commented out.

If you are using pam_krb5, ensure you have a keytab on your system as
provided by your Kerberos administrator.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-23:09/pam_krb5.patch
# fetch https://security.FreeBSD.org/patches/SA-23:09/pam_krb5.patch.asc
# gpg --verify pam_krb5.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all daemons that use the PAM module, or reboot the system.

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/13/                              d295e418ae7e    stable/13-n255792
releng/13.2/                            9b45d8eddfac  releng/13.2-n254622
releng/13.1/                            140f65a20533  releng/13.1-n250188
stable/12/                                                        r373127
releng/12.4/                                                      r373150
- -------------------------------------------------------------------------

For FreeBSD 13 and later:

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

For FreeBSD 12 and earlier:

Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3326>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:09.pam_krb5.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdskACgkQbljekB8A
Gu9QjQ/7BlRQJGHtf/tljjCbzVKAOTcknk/d2VncZ4dDidsHWgO4umaYIrQzYxX0
1mBtLEPZ7vHt2t4IC4NZ1FP7wrdLNDWCfHcKlP9p9tCzhh2zQXgv6NHbruUTMtJX
/LN+fxdOcRo++23ae0ohaBUwFVo69/nel0KnSq3QOeSwzJdvaW9cggimOK96pvB1
QXsqJvb9uBZGdv0yufZ4xJ174xDVnchBY/wvLx2qSdAsXGPO6ihvoeJHFJ7JAYLP
JYtEAKkgHnkDtG9cw9DQigskwr8VC0x8J+9JG5H4zTXtzofng4pFD7+LBDhozoPy
FRGi5IfWA4VkeQYDaMB9mE37R333PpKFfJZWF8cwOyeLXNTTUvtPEu2k0DRvljqs
6lmKcqNLJMbbHa7jIDwdYs5wrSqXJuKOD0Fsj/QScfqWphK86oz6VBdft71A+g55
D9QFVoXZ2kYTdJ3mMvcKPCdsnixVdtIaaTQ+Embeu2dnMUemc9xsRiPNp18a5y1a
EgLJ5WHIVJoCjte7HROnPKN6IeB7G/laPeewpoO8AJqL46Z+Ch0PMJacYLhNp5fn
9rDnJkurJBa4hqii05MztQvhvaoJyy1WFQbObrzfNQI7Hl+EtMb8dlP09qsiWeGq
27gca8AB1KaMbG+Wwc92n1cn8ZSiF6WT0cV/+Cx3lYuIbmMgnBU=
=eKnj
-----END PGP SIGNATURE-----