Karl.Fail

Tag: pam_pkcs11

  • CVE-2025-24032: Authentication Bypass in PAM-PKCS#11 Due to Insecure Default `cert_policy` Setting

    Overview

    On February 10, 2025, a critical vulnerability was published under the identifier CVE-2025-24032, affecting the PAM-PKCS#11 module maintained by OpenSC. This Linux-PAM login module facilitates user authentication via X.509 certificates and is commonly integrated into secure systems that use smartcards or cryptographic tokens. The vulnerability has been rated CRITICAL with a CVSS v4.0 base score of 9.2.

    Technical Details

    The vulnerability stems from the default setting of the cert_policy configuration parameter in pam_pkcs11. If left as none-its default-pam_pkcs11 does not verify that the presented token can perform private key operations such as signing. Instead, it only checks if the certificate exists on a token and whether the user has access to it.

    This creates a severe security gap. An attacker can fabricate a token containing a victim’s public certificate and pair it with a known PIN. If no private key validation is enforced, the system cannot distinguish this fake token from a legitimate one, allowing unauthorized logins.

    Affected Versions

    The issue affects all versions from pam_pkcs11-0.6.0 up to but not including 0.6.13.

    CVSS v4.0 Vector

    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/S:C/C:H/I:H/A:L

    • Attack Vector: Network
    • Attack Complexity: Low
    • Attack Requirements: Present (crafted token needed)
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
    • Confidentiality & Integrity Impact: High
    • Availability Impact: Low

    Mitigation

    Users are strongly advised to upgrade to pam_pkcs11 version 0.6.13 or later. The patched version enforces signature-based validation by default. As an immediate workaround, administrators should set cert_policy = signature; explicitly in the pam_pkcs11.conf file.

    Conclusion

    CVE-2025-24032 exemplifies the risks of insecure defaults in authentication modules. In critical environments using smartcard-based login, overlooking private key validation opens doors for silent impersonation. Updating PAM-PKCS#11 and revisiting configuration settings is imperative to mitigate this threat.

  • Authentication Bypass in PAM-PKCS#11 due to Weak Default `cert_policy` Setting

    Overview

    CVE-2025-24032 identifies a critical vulnerability in PAM-PKCS#11, a Linux-PAM module enabling X.509 certificate-based authentication.

    Technical Details

    The vulnerability, classified under CWE-287: Improper Authentication, arises when cert_policy is set to none (default). In such cases, pam_pkcs11 validates only that a user can log into a token—without requiring private key signature verification.

    This means an attacker can craft a token using a victim’s public certificate and a known PIN. Since no signature is required, the attacker can bypass authentication and gain unauthorized access.

    Severity and CVSS

    • CVSS 4.0 Base Score: 9.2 (Critical)
    • Vector: AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

    Affected Versions

    All versions prior to pam_pkcs11-0.6.13 are impacted.

    Mitigation and Recommendations

    • Upgrade to version 0.6.13 immediately.
    • In pam_pkcs11.conf, set cert_policy = signature; explicitly to enforce private key verification.

    Conclusion

    This vulnerability demonstrates the dangers of insecure default configurations. Ensuring that authentication relies on proper cryptographic verification is critical for maintaining secure login workflows.

    For more technical details and mitigation steps, refer to the official GitHub advisory.