Описание
PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to not check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in pam_pkcs11.conf, set at least cert_policy = signature;.
A flaw was found in the pam_pkcs11 Linux-PAM login module. If the cert_policy is set to none, which is the default value, then pam_pkcs11 will only check if the user is capable of logging into the token. This flaw allows an attacker to create a different token with the user's public data, for example, the user's certificate and a PIN known to the attacker. If no signature with the private key is required, the attacker can log in as a user with that created token.
Отчет
This vulnerability is of moderate severity because it only applies when the configuration explicitly disables signature verification (cert_policy = none), which is not a secure best practice. The attack requires an adversary to create a fake token using the victim’s public certificate and a known PIN, but it does not compromise the private key itself. Since private key possession is typically required for strong authentication, systems enforcing proper certificate verification (including signature validation) remain unaffected. Additionally, RHEL is not vulnerable by default, further reducing the real-world impact.
Меры по смягчению последствий
Restrict the cert_policy value to signature in the pam_pkcs11.conf configuration file (cert_policy = signature).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | pam_pkcs11 | Out of support scope | ||
| Red Hat Enterprise Linux 7 | pam_pkcs11 | Will not fix |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
8 High
CVSS3
Связанные уязвимости
PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to *not* check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in `pam_pkcs11.conf`, set at least `cert_policy = signature;`.
PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to *not* check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in `pam_pkcs11.conf`, set at least `cert_policy = signature;`.
PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificat ...
Уязвимость модуля аутентификации PAM-PKCS#11 операционных систем Linux, позволяющая нарушителю обойти процесс аутентификации
EPSS
8 High
CVSS3