CVE-2025-24032

PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to *not* check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in `pam_pkcs11.conf`, set at least `cert_policy = signature;`.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
GitHub_MCNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
Debian logo
Debian Releases
Debian Product
Codename
pam-pkcs11
bullseye
vulnerable
bullseye (security)
0.6.11-4+deb11u1
fixed
bookworm
0.6.12-1+deb12u1
fixed
bookworm (security)
0.6.12-1+deb12u1
fixed
sid
0.6.13-1
fixed
trixie
0.6.13-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pam-pkcs11
oracular
Fixed 0.6.12-2ubuntu0.24.10.1
released
noble
Fixed 0.6.12-2ubuntu0.24.04.1
released
jammy
Fixed 0.6.11-4ubuntu0.1
released
focal
Fixed 0.6.11-2ubuntu0.1
released
bionic
Fixed 0.6.9-2ubuntu0.1~esm1
released
xenial
Fixed 0.6.8-4ubuntu0.1~esm1
released
Common Weakness Enumeration
References
https://github.com/OpenSC/pam_pkcs11/commit/470263258d1ac59c5eade439c4d9caba0097e6e6
https://github.com/OpenSC/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48
https://github.com/OpenSC/pam_pkcs11/commit/d9530167966a77115db6e885d459382a2e52ee9e
https://github.com/OpenSC/pam_pkcs11/releases/tag/pam_pkcs11-0.6.13
https://github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-8r8p-7mgp-vf56
https://lists.debian.org/debian-lts-announce/2025/02/msg00021.html
https://www.vicarius.io/vsociety/posts/cve-2025-24032-detect-vulnerability-in-linux-pam-module
https://www.vicarius.io/vsociety/posts/cve-2025-24032-mitigate-linux-pam-module-vulnerability