CVE-2025-24032
Description
PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to *not* check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in pam_pkcs11.conf, set at least cert_policy = signature;.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
12pam_pkcs11-0.6.10, pam_pkcs11-0.6.11, pam_pkcs11-0.6.12, …+ 1 more
- (no CPE)range: pam_pkcs11-0.6.10, pam_pkcs11-0.6.11, pam_pkcs11-0.6.12, …
- (no CPE)range: >=0.6.0, <0.6.13
- osv-coords10 versionspkg:rpm/opensuse/pam_pkcs11&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/pam_pkcs11&distro=openSUSE%20Tumbleweedpkg:rpm/suse/pam_pkcs11&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/pam_pkcs11&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/pam_pkcs11&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/pam_pkcs11&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/pam_pkcs11&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/pam_pkcs11&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/pam_pkcs11&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/pam_pkcs11&distro=SUSE%20Linux%20Micro%206.0
< 0.6.10-150600.16.3.1+ 9 more
- (no CPE)range: < 0.6.10-150600.16.3.1
- (no CPE)range: < 0.6.13-1.1
- (no CPE)range: < 0.6.10-150100.3.6.1
- (no CPE)range: < 0.6.10-150100.3.6.1
- (no CPE)range: < 0.6.10-150100.3.6.1
- (no CPE)range: < 0.6.10-150100.3.6.1
- (no CPE)range: < 0.6.10-150100.3.6.1
- (no CPE)range: < 0.6.10-150600.16.3.1
- (no CPE)range: < 0.6.8-7.8.1
- (no CPE)range: < 0.6.12-3.1
Patches
Vulnerability mechanics
References
8- github.com/OpenSC/pam_pkcs11/commit/470263258d1ac59c5eade439c4d9caba0097e6e6nvd
- github.com/OpenSC/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48nvd
- github.com/OpenSC/pam_pkcs11/commit/d9530167966a77115db6e885d459382a2e52ee9envd
- github.com/OpenSC/pam_pkcs11/releases/tag/pam_pkcs11-0.6.13nvd
- github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-8r8p-7mgp-vf56nvd
- lists.debian.org/debian-lts-announce/2025/02/msg00021.htmlnvd
- www.vicarius.io/vsociety/posts/cve-2025-24032-detect-vulnerability-in-linux-pam-modulenvd
- www.vicarius.io/vsociety/posts/cve-2025-24032-mitigate-linux-pam-module-vulnerabilitynvd
News mentions
0No linked articles in our index yet.