Overview
CVE-2025-24032 identifies a critical vulnerability in PAM-PKCS#11, a Linux-PAM module enabling X.509 certificate-based authentication.
Technical Details
The vulnerability, classified under CWE-287: Improper Authentication, arises when cert_policy is set to none (default). In such cases, pam_pkcs11 validates only that a user can log into a token—without requiring private key signature verification.
This means an attacker can craft a token using a victim’s public certificate and a known PIN. Since no signature is required, the attacker can bypass authentication and gain unauthorized access.
Severity and CVSS
- CVSS 4.0 Base Score: 9.2 (Critical)
- Vector: AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L
Affected Versions
All versions prior to pam_pkcs11-0.6.13 are impacted.
Mitigation and Recommendations
- Upgrade to version 0.6.13 immediately.
- In
pam_pkcs11.conf, setcert_policy = signature;explicitly to enforce private key verification.
Conclusion
This vulnerability demonstrates the dangers of insecure default configurations. Ensuring that authentication relies on proper cryptographic verification is critical for maintaining secure login workflows.
For more technical details and mitigation steps, refer to the official GitHub advisory.
Leave a Reply