Red Hat Bugzilla – Bug 502602
CVE-2009-1384 pam_krb5: Password prompt varies for existent and non-existent users
Last modified: 2010-03-31 02:54:18 EDT
A security flaw was found in PAM pam_krb5 module, providing user authentication
based on Kerberos principals. A remote attacker could use this flaw to recognize, if some username/login belongs to set of user accounts,
existing on the system, and subsequently perform dictionary based password
This issue does NOT affect the versions of the pam_krb5 package, as shipped
with Red Hat Enterprise Linux 3 and 4.
This issue does affect the version of the pam_krb5 package, as shipped
with Red Hat Enterprise Linux 5.
Official statement from Red Hat (2009/05/28):
Red Hat is aware of this issue and is tracking it via the following bug:
This issue did not affect the versions of the pam_krb5 package, as shipped
with Red Hat Enterprise Linux 2.1, 3 or 4.
The Red Hat Security Response Team has rated this issue as having low security
impact. Future pam_krb5 updates in Red Hat Enterprise Linux 5 will address
The vulnerability requires unlikely configuration(s) of the main system
PAM (Pluggable Authentication Modules) configuration file, namely:
i, configuration, when pam_krb5.so PAM module is used as the only one
authentication policy module, or
ii, configuration, where pam_krb5.so module is used prior to the
standard Unix authentication module (pam_unix.so) for handling
The occurrence of the vulnerability can be prevented by using the
default configuration of the system PAM configuration file, as created by
the 'authconfig' interface, providing configuration of system authentication
More information regarding issue severity can be found here:
pam_krb5-2.3.5-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
pam_krb5-2.3.5-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
pam_krb5-2.3.5-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2010:0258 https://rhn.redhat.com/errata/RHSA-2010-0258.html