CVE-2020-10595 - OpenCVE

pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single '\0' byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Pam-krb5 Project	Pam-krb5

Configuration 1 [-]

cpe:2.3:a:pam-krb5_project:pam-krb5:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2020/03/31/1	Mailing List Patch Third Party Advisory
https://github.com/rra/pam-krb5/commit/e7879e27a37119fad4faf133a9f70bdcdc75d760	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/04/msg00000.html	Mailing List Third Party Advisory
https://usn.ubuntu.com/4314-1/
https://www.debian.org/security/2020/dsa-4648	Third Party Advisory
https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-03-31T12:36:10

Updated: 2020-04-06T12:28:20

Reserved: 2020-03-16T00:00:00

Link: CVE-2020-10595

JSON object: View

NVD Information

Status : Modified

Published: 2020-03-31T13:15:13.130

Modified: 2020-04-04T00:15:23.717

Link: CVE-2020-10595

JSON object: View

Redhat Information

No data.

CWE

CWE-120

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single '\\0' byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-06T12:28:20", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rra/pam-krb5/commit/e7879e27a37119fad4faf133a9f70bdcdc75d760"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.openwall.com/lists/oss-security/2020/03/31/1"}, {"name": "DSA-4648", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4648"}, {"name": "[debian-lts-announce] 20200401 [SECURITY] [DLA 2166-1] libpam-krb5 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00000.html"}, {"name": "USN-4314-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4314-1/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-10595", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single '\\0' byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/rra/pam-krb5/commit/e7879e27a37119fad4faf133a9f70bdcdc75d760", "refsource": "CONFIRM", "url": "https://github.com/rra/pam-krb5/commit/e7879e27a37119fad4faf133a9f70bdcdc75d760"}, {"name": "http://www.openwall.com/lists/oss-security/2020/03/31/1", "refsource": "CONFIRM", "url": "http://www.openwall.com/lists/oss-security/2020/03/31/1"}, {"name": "DSA-4648", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4648"}, {"name": "[debian-lts-announce] 20200401 [SECURITY] [DLA 2166-1] libpam-krb5 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00000.html"}, {"name": "USN-4314-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4314-1/"}, {"name": "https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.html", "refsource": "MISC", "url": "https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-10595", "datePublished": "2020-03-31T12:36:10", "dateReserved": "2020-03-16T00:00:00", "dateUpdated": "2020-04-06T12:28:20", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pam-krb5_project:pam-krb5:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF19D71B-DDDF-48C8-89F2-7561C6A8972C", "versionEndExcluding": "4.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "pam-krb5 before 4.9 has a buffer overflow that might cause remote code execution in situations involving supplemental prompting by a Kerberos library. It may overflow a buffer provided by the underlying Kerberos library by a single '\\0' byte if an attacker responds to a prompt with an answer of a carefully chosen length. The effect may range from heap corruption to stack corruption depending on the structure of the underlying Kerberos library, with unknown effects but possibly including code execution. This code path is not used for normal authentication, but only when the Kerberos library does supplemental prompting, such as with PKINIT or when using the non-standard no_prompt PAM configuration option."}, {"lang": "es", "value": "pam-krb5 versiones anteriores a 4.9, presenta un desbordamiento del b\u00fafer que puede causar una ejecuci\u00f3n de c\u00f3digo remota en situaciones que involucran una sugerencia suplementaria para una biblioteca de Kerberos. Esto puede desbordar un b\u00fafer proporcionado por la biblioteca Kerberos subyacente por un solo byte \"\\0\" si un atacante responde a un aviso con una respuesta de una longitud cuidadosamente elegida. El efecto puede variar desde una corrupci\u00f3n en la regi\u00f3n heap hasta una corrupci\u00f3n en la regi\u00f3n stack dependiendo de la estructura de la biblioteca de Kerberos subyacente, con efectos desconocidos pero posiblemente incluyendo una ejecuci\u00f3n de c\u00f3digo. Esta ruta de c\u00f3digo no es usada para una autenticaci\u00f3n normal, sino solo cuando la biblioteca de Kerberos realiza una sugerencia suplementaria, tal y como con PKINIT o cuando se utiliza la opci\u00f3n de configuraci\u00f3n no_prompt PAM no est\u00e1ndar."}], "id": "CVE-2020-10595", "lastModified": "2020-04-04T00:15:23.717", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-31T13:15:13.130", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/03/31/1"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rra/pam-krb5/commit/e7879e27a37119fad4faf133a9f70bdcdc75d760"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00000.html"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4314-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4648"}, {"source": "cve@mitre.org", "url": "https://www.eyrie.org/~eagle/software/pam-krb5/security/2020-03-30.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}]}