CVE-2025-24032

Publication date 10 February 2025

Last updated 20 March 2025

Ubuntu priority

High

Why this priority?

PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user’s public data (e.g. the user’s certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to *not* check the private key’s signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in `pam_pkcs11.conf`, set at least `cert_policy = signature;`.

Why is this CVE high priority?

flaw would allow bypassing strong authentication

Learn more about Ubuntu priority

Status

Package Ubuntu Release Status
pam-pkcs11 24.10 oracular
Fixed 0.6.12-2ubuntu0.24.10.1
24.04 LTS noble
Fixed 0.6.12-2ubuntu0.24.04.1
22.04 LTS jammy
Fixed 0.6.11-4ubuntu0.1
20.04 LTS focal
Fixed 0.6.11-2ubuntu0.1
18.04 LTS bionic
16.04 LTS xenial

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
pam-pkcs11

References

Related Ubuntu Security Notices (USN)

    • USN-7363-1
    • PAM-PKCS#11 vulnerabilities
    • 20 March 2025

Other references