| Name | CVE-2025-24032 |
| Description | PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to *not* check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in `pam_pkcs11.conf`, set at least `cert_policy = signature;`. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-4058-1, DSA-5864-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| pam-pkcs11 (PTS) | bullseye | 0.6.11-4 | vulnerable |
| bullseye (security) | 0.6.11-4+deb11u1 | fixed | |
| bookworm, bookworm (security) | 0.6.12-1+deb12u1 | fixed | |
| forky, sid, trixie | 0.6.13-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| pam-pkcs11 | source | bullseye | 0.6.11-4+deb11u1 | DLA-4058-1 | ||
| pam-pkcs11 | source | bookworm | 0.6.12-1+deb12u1 | DSA-5864-1 | ||
| pam-pkcs11 | source | (unstable) | 0.6.13-1 |
https://github.com/OpenSC/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48 (pam_pkcs11-0.6.13)
https://github.com/OpenSC/pam_pkcs11/commit/d9530167966a77115db6e885d459382a2e52ee9e (pam_pkcs11-0.6.13)