CVE-2025-24032: Linux-PAM PKCS#11 Login Module Vulnerability Allowing Unauthorized User Login

A critical vulnerability (CVE-2025-24032) has been discovered in Linux-PAM (Pluggable Authentication Modules) that affects the pam_pkcs11 module prior to version .6.13, potentially allowing unauthorized users to log in. The PAM-PKCS#11 module is a Linux-PAM login module that enables X.509 certificate-based user authentication. In this article, we will discuss the exploit details, provide code snippets showcasing the vulnerability, and recommend mitigation steps to prevent this security issue.

Exploit Details

The vulnerability (CVE-2025-24032) lies in the default behavior of pam_pkcs11, which only checks if the user is capable of logging into the token when cert_policy is set to 'none' (the default value). An attacker can exploit this by creating a different token containing the user's public data (e.g., their certificate) and a known PIN. Without the need for a private key signature, the attacker can then log in as the user with the created token.

The default behavior of not checking the private key's signature was changed in commit 6638576892b59a99389043c90a1e7dd4d783b921. As a result, all versions of pam_pkcs11 starting with .6. are affected by this vulnerability.

The following code snippet demonstrates the vulnerable default configuration in pam_pkcs11.conf

cert_policy = none;

To mitigate the vulnerability, change the cert_policy value to signature

cert_policy = signature;

The original vulnerability disclosure and details can be found at the following links

1. CVE-2025-24032 - NVD (National Vulnerability Database)
2. PAM-PKCS#11 GitHub Repository (commit 6638576892b59a99389043c90a1e7dd4d783b921)

Mitigation

To prevent unauthorized user login due to this vulnerability, administrators should ensure they are using pam_pkcs11 version .6.13 or later. If updating is not possible, it is highly recommended to modify the pam_pkcs11.conf file to include the following configuration:

cert_policy = signature;

By enabling the signature check for cert_policy, the private key signature will be required for authentication, thus preventing attackers from being able to log in using a created token without the legitimate user's private key.

Conclusion

CVE-2025-24032 is a critical vulnerability affecting Linux-PAM's pam_pkcs11 module that could enable unauthorized user login via X.509 certificate-based authentication. To protect systems and user accounts from this security risk, it is crucial to update pam_pkcs11 to version .6.13 or later and configure the cert_policy setting to require private key signatures for user authentication.

Timeline

Published on: 02/10/2025 16:15:39 UTC
Last modified on: 02/18/2025 14:15:28 UTC