UBUNTU-CVE-2025-24032

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-24032

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-24032.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-24032

Related

Published

2025-02-10T16:15:00Z

Modified

2025-03-21T04:35:35Z

Summary

[none]

Details

PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if certpolicy is set to none (the default value), then pampkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to not check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in pam_pkcs11.conf, set at least cert_policy = signature;.

References

Affected packages

Ubuntu:Pro:16.04:LTS / pam-pkcs11

Package

Name: pam-pkcs11
Purl: pkg:deb/ubuntu/pam-pkcs11@0.6.8-4ubuntu0.1~esm1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.8-4ubuntu0.1~esm1

Affected versions

0.*

0.6.8-4

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "high",
    "binaries": [
        {
            "binary_version": "0.6.8-4ubuntu0.1~esm1",
            "binary_name": "libpam-pkcs11"
        },
        {
            "binary_version": "0.6.8-4ubuntu0.1~esm1",
            "binary_name": "libpam-pkcs11-dbgsym"
        },
        {
            "binary_version": "0.6.8-4ubuntu0.1~esm1",
            "binary_name": "pam-pkcs11-dbg"
        }
    ],
    "priority_reason": "flaw would allow bypassing strong authentication"
}

Ubuntu:Pro:18.04:LTS / pam-pkcs11

Package

Name: pam-pkcs11
Purl: pkg:deb/ubuntu/pam-pkcs11@0.6.9-2ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.9-2ubuntu0.1~esm1

Affected versions

0.*

0.6.9-1

0.6.9-2

0.6.9-2build1

0.6.9-2build2

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "high",
    "binaries": [
        {
            "binary_version": "0.6.9-2ubuntu0.1~esm1",
            "binary_name": "libpam-pkcs11"
        },
        {
            "binary_version": "0.6.9-2ubuntu0.1~esm1",
            "binary_name": "pam-pkcs11-dbg"
        }
    ],
    "priority_reason": "flaw would allow bypassing strong authentication"
}

Ubuntu:20.04:LTS / pam-pkcs11

Package

Name: pam-pkcs11
Purl: pkg:deb/ubuntu/pam-pkcs11@0.6.11-2ubuntu0.1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.11-2ubuntu0.1

Affected versions

0.*

0.6.11-2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "high",
    "binaries": [
        {
            "binary_version": "0.6.11-2ubuntu0.1",
            "binary_name": "libpam-pkcs11"
        },
        {
            "binary_version": "0.6.11-2ubuntu0.1",
            "binary_name": "libpam-pkcs11-dbgsym"
        }
    ],
    "priority_reason": "flaw would allow bypassing strong authentication"
}

Ubuntu:22.04:LTS / pam-pkcs11

Package

Name: pam-pkcs11
Purl: pkg:deb/ubuntu/pam-pkcs11@0.6.11-4ubuntu0.1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.11-4ubuntu0.1

Affected versions

0.*

0.6.11-4build1

0.6.11-4build2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "high",
    "binaries": [
        {
            "binary_version": "0.6.11-4ubuntu0.1",
            "binary_name": "libpam-pkcs11"
        },
        {
            "binary_version": "0.6.11-4ubuntu0.1",
            "binary_name": "libpam-pkcs11-dbgsym"
        }
    ],
    "priority_reason": "flaw would allow bypassing strong authentication"
}

Ubuntu:24.10 / pam-pkcs11

Package

Name: pam-pkcs11
Purl: pkg:deb/ubuntu/pam-pkcs11@0.6.12-2ubuntu0.24.10.1?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.12-2ubuntu0.24.10.1

Affected versions

0.*

0.6.12-2build3

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "high",
    "binaries": [
        {
            "binary_version": "0.6.12-2ubuntu0.24.10.1",
            "binary_name": "libpam-pkcs11"
        },
        {
            "binary_version": "0.6.12-2ubuntu0.24.10.1",
            "binary_name": "libpam-pkcs11-dbgsym"
        }
    ],
    "priority_reason": "flaw would allow bypassing strong authentication"
}

Ubuntu:24.04:LTS / pam-pkcs11

Package

Name: pam-pkcs11
Purl: pkg:deb/ubuntu/pam-pkcs11@0.6.12-2ubuntu0.24.04.1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.6.12-2ubuntu0.24.04.1

Affected versions

0.*

0.6.12-1

0.6.12-2

0.6.12-2build2

0.6.12-2build3

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "high",
    "binaries": [
        {
            "binary_version": "0.6.12-2ubuntu0.24.04.1",
            "binary_name": "libpam-pkcs11"
        },
        {
            "binary_version": "0.6.12-2ubuntu0.24.04.1",
            "binary_name": "libpam-pkcs11-dbgsym"
        }
    ],
    "priority_reason": "flaw would allow bypassing strong authentication"
}