CVE-2020-10595

Name of the Vulnerable Software and Affected Versions pam-krb5 versions prior to 4.9

Description The issue is related to a buffer overflow in pam-krb5 that may cause remote code execution when the Kerberos library performs supplemental prompting. This can happen if an attacker responds to a prompt with a carefully chosen answer length, potentially overflowing a buffer provided by the underlying Kerberos library. The effect can range from heap corruption to stack corruption, with possible code execution. This code path is used when the Kerberos library does supplemental prompting, such as with PKINIT or the non-standard no prompt PAM configuration option.

Recommendations For versions prior to 4.9, update to version 4.9 or later to resolve the issue. As a temporary workaround, consider disabling supplemental prompting by the Kerberos library until a patch is available. Restrict access to the pam-krb5 library to minimize the risk of exploitation. Avoid using the non-standard no prompt PAM configuration option until the issue is resolved.