CVE-2023-3326: 
Linux Debian vulnerability analysis and mitigation

pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to verify the password. The vulnerability (CVE-2023-3326) was discovered in June 2023 and affects systems using pam_krb5 for authentication without a provisioned keytab. The issue impacts various operating systems including FreeBSD and NetBSD, though Linux systems are not believed to be affected (FreeBSD Advisory, OSS Security).

The vulnerability stems from pam_krb5's authentication process where it obtains a ticket-granting ticket from the KDC over the network. Without a keytab provisioned on the system, pam_krb5 has no way to validate the response from the KDC, and essentially trusts the tgt provided over the network as being valid. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

In affected systems, an attacker who can control both the password and the KDC responses can return a valid tgt, allowing authentication to occur for any user on the system. This could lead to unauthorized access, disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (FreeBSD Advisory, NetApp Advisory).

Several mitigation strategies are available: 1) For systems not using Kerberos, ensure /etc/krb5.conf is missing and pam_krb5 is commented out of the PAM configuration. 2) For systems using Kerberos but not pam_krb5, ensure pam_krb5 is commented out of the PAM configuration. 3) For systems using pam_krb5, ensure a keytab is provisioned on the system as provided by the Kerberos administrator (FreeBSD Advisory).