Bugzilla – Bug 1212615
VUL-0: CVE-2023-3326: sssd,pam_krb5: PAM/Kerberos issue on NetBSD
Last modified: 2023-09-26 15:27:26 UTC
CVE-2023-3326 Posted by Alistair Crooks on Jun 21Hi folks, The fix for a pam/kerberos issue on NetBSD has already been fixed and pullups requested for release branches, see: https://mail-index.netbsd.org/source-changes/2023/06/20/msg145461.html (commit log appended to this mail) and CVE-2023-3326 For various platforms, the exposure is not thought to be that great + Linux - not believed to be affected (would be good to get some corroboration for this) + FreeBSD - affected, but not in the... References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3326 https://seclists.org/oss-sec/2023/q2/245
Apparently pam_krb5 and sssd-krb5 are also affected: https://seclists.org/oss-sec/2023/q2/254
Hello, From pam_krb5 man pages: " If that keytab cannot be read or if no keys are found in it, the default (potentially insecure) behavior is to skip this check. If you want to instead fail authentication if the obtained tickets cannot be checked, set verify_ap_req_nofail to true in the [libdefaults] section of /etc/krb5.conf. Note that this will affect applications other than this PAM module. " And as it was explained further in the thread mail, there isn't a safe option. If we want to be sure that the authentication fails by default in case of the keytab cannot be read, we probably should add the `verify_ap_req_nofail true` by default in /etc/krb5.conf. Add Need info to scabrero@suse.com(maintainer of krb5): Could we add this conf by default from krb5 package ? Add Need info to kukuk@suse.com: Have you already been faced to that security issue with pam modules from the past?
(In reply to Valentin Lefebvre from comment #2) > If we want to be sure that the authentication fails by default in case of > the keytab cannot be read, we probably should add the `verify_ap_req_nofail > true` by default in /etc/krb5.conf. > > Add Need info to scabrero@suse.com(maintainer of krb5): Could we add this > conf by default from krb5 package? Changing the default was discussed in 2011 and dismissed because it could break deployments not using host keys. https://mailman.mit.edu/pipermail/krbdev/2011-January/009796.html Apart from that, IMO enabling it by default can lead to an invalid krb5.conf because it assumes that the user will setup host keys, create the keytab and make it readable for pam_krb5.
Thanks Samuel for your feedback. Our pam-krb5 by default let the spoofing vulnerably in using the kerberos method krb5_verify_init_creds() leading by verify_ap_req_nofail option. FreeBSD, by the patch mentioned in this bug, does the opposite adding a new argument to the pam module "allow_kdc_spoof" to false by default to avoid the spoofing. I've asked the upstream of our pam module if the FreeBSD patch can be adapt to it. As the implementation of freeBSD/pam-krb5 and Linux/pam-krb5 is totally different, we cannot just apply their patch
Jira ticket has been created in the way to change the Kerberos default config file. See https://jira.suse.com/browse/PED-5718.
(In reply to Valentin Lefebvre from comment #8) > Jira ticket has been created in the way to change the Kerberos default > config file. See https://jira.suse.com/browse/PED-5718. Hi Valentin, the IBS request is approved, do you agree to close the bug?
(In reply to Samuel Cabrero from comment #9) > (In reply to Valentin Lefebvre from comment #8) > > Jira ticket has been created in the way to change the Kerberos default > > config file. See https://jira.suse.com/browse/PED-5718. > > Hi Valentin, the IBS request is approved, do you agree to close the bug? Sure, thanks. I close the bug as resolved.