CVE-2024-22365

Root

Cause The vulnerability exists in the pam_namespace module of Linux-PAM (linux-pam) prior to version 1.6.0. The protect_dir() function uses openat() to check directory permissions without including the O_DIRECTORY flag. This omission allows an attacker to create a FIFO (named pipe, via mkfifo) at the expected directory path, causing openat() to successfully open the FIFO as a file descriptor instead of failing with an error. Subsequent operations on this file descriptor then block indefinitely or produce unexpected behavior, effectively freezing the login process [1][3].

Exploitation

Prerequisites The attack is local and requires the attacker to have write access to a location where a polyinstantiated directory (e.g., /tmp or /var/tmp) will be created by the pam_namespace module during a login session. The attacker places a FIFO (named pipe) at that path before the victim user logs in. No special privileges beyond standard user access are needed, making this a simple local denial-of-service vector [3].

Impact

When a legitimate user attempts to log in and pam_namespace processes the polyinstantiated directory, the openat() call without O_DIRECTORY opens the FIFO. The module then attempts to use the resulting file descriptor for operations meant for a directory, causing the login process to hang indefinitely. This results in a denial of service for the affected user, preventing them from completing authentication and establishing a session [1][3].

Mitigation

The vulnerability is fixed in Linux-PAM version 1.6.0, which ensures openat() is called with the O_DIRECTORY flag, thus ignoring non-directory files like FIFOs. Users are strongly advised to update to this version or apply the corresponding patch [2][4]. Organizations using products such as Siemens RUGGEDCOM ROX II family that bundle linux-pam should refer to vendor advisories for specific patching guidance [1][2].