CVE-2025-24032: Authentication Bypass in PAM-PKCS#11 Due to Insecure Default `cert_policy` Setting

Overview

On February 10, 2025, a critical vulnerability was published under the identifier CVE-2025-24032, affecting the PAM-PKCS#11 module maintained by OpenSC. This Linux-PAM login module facilitates user authentication via X.509 certificates and is commonly integrated into secure systems that use smartcards or cryptographic tokens. The vulnerability has been rated CRITICAL with a CVSS v4.0 base score of 9.2.

Technical Details

The vulnerability stems from the default setting of the cert_policy configuration parameter in pam_pkcs11. If left as none-its default-pam_pkcs11 does not verify that the presented token can perform private key operations such as signing. Instead, it only checks if the certificate exists on a token and whether the user has access to it.

This creates a severe security gap. An attacker can fabricate a token containing a victim’s public certificate and pair it with a known PIN. If no private key validation is enforced, the system cannot distinguish this fake token from a legitimate one, allowing unauthorized logins.

Affected Versions

The issue affects all versions from pam_pkcs11-0.6.0 up to but not including 0.6.13.

CVSS v4.0 Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/S:C/C:H/I:H/A:L

• Attack Vector: Network
• Attack Complexity: Low
• Attack Requirements: Present (crafted token needed)
• Privileges Required: None
• User Interaction: None
• Scope: Changed
• Confidentiality & Integrity Impact: High
• Availability Impact: Low

Mitigation

Users are strongly advised to upgrade to pam_pkcs11 version 0.6.13 or later. The patched version enforces signature-based validation by default. As an immediate workaround, administrators should set cert_policy = signature; explicitly in the pam_pkcs11.conf file.

Conclusion

CVE-2025-24032 exemplifies the risks of insecure defaults in authentication modules. In critical environments using smartcard-based login, overlooking private key validation opens doors for silent impersonation. Updating PAM-PKCS#11 and revisiting configuration settings is imperative to mitigate this threat.