CVE-2025-24032

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-24032
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24032.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-24032
Aliases
  • GHSA-8r8p-7mgp-vf56
Downstream
Related
Published
2025-02-10T15:43:47Z
Modified
2025-10-15T22:36:35.867726Z
Severity
  • 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L CVSS Calculator
Summary
PAM-PKCS#11 vulnerable to authentication bypass with default value for `cert_policy` (`none`)
Details

PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if certpolicy is set to none (the default value), then pampkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to not check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in pam_pkcs11.conf, set at least cert_policy = signature;.

References

Affected packages

Git / github.com/OpenSC/pam_pkcs11

Affected ranges

Type
GIT
Repo
https://github.com/OpenSC/pam_pkcs11
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b8dbe6370d36a6a11a466d5f0ee285804103e030

Affected versions

pam_pkcs11-0.*

pam_pkcs11-0.5.2
pam_pkcs11-0.6.10
pam_pkcs11-0.6.11
pam_pkcs11-0.6.12
pam_pkcs11-0.6.7
pam_pkcs11-0.6.8
pam_pkcs11-0.6.9