Security update for pam_pkcs11 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0689-1 Final 1 1 2025-02-24T12:57:14Z current 2025-02-24T12:57:14Z 2025-02-24T12:57:14Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pam_pkcs11 This update for pam_pkcs11 fixes the following issues: - CVE-2025-24032: default value for `cert_policy` (`none`) allows for authentication bypass (bsc#1237062). - CVE-2025-24031: uninitialized pointer dereference caused by user pressing ctrl-c/ctrl-d when asked for PIN leads to crash (bsc#1237058). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP6-Hardened-BYOS-2025-689,Image SLES15-SP6-Hardened-BYOS-GCE-2025-689,SUSE-2025-689,SUSE-SLE-Module-Basesystem-15-SP6-2025-689,openSUSE-SLE-15.6-2025-689 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250689-1/ Link for SUSE-SU-2025:0689-1 https://lists.suse.com/pipermail/sle-security-updates/2025-February/020426.html E-Mail link for SUSE-SU-2025:0689-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1237058 SUSE Bug 1237058 https://bugzilla.suse.com/1237062 SUSE Bug 1237062 https://www.suse.com/security/cve/CVE-2025-24031/ SUSE CVE CVE-2025-24031 page https://www.suse.com/security/cve/CVE-2025-24032/ SUSE CVE CVE-2025-24032 page Image SLES15-SP6-Hardened-BYOS Image SLES15-SP6-Hardened-BYOS-GCE SUSE Linux Enterprise Module for Basesystem 15 SP6 openSUSE Leap 15.6 pam_pkcs11-0.6.10-150600.16.3.1 pam_pkcs11-32bit-0.6.10-150600.16.3.1 pam_pkcs11-64bit-0.6.10-150600.16.3.1 pam_pkcs11-devel-doc-0.6.10-150600.16.3.1 pam_pkcs11-0.6.10-150600.16.3.1 as a component of Image SLES15-SP6-Hardened-BYOS pam_pkcs11-0.6.10-150600.16.3.1 as a component of Image SLES15-SP6-Hardened-BYOS-GCE pam_pkcs11-0.6.10-150600.16.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 pam_pkcs11-32bit-0.6.10-150600.16.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 pam_pkcs11-0.6.10-150600.16.3.1 as a component of openSUSE Leap 15.6 pam_pkcs11-32bit-0.6.10-150600.16.3.1 as a component of openSUSE Leap 15.6 pam_pkcs11-devel-doc-0.6.10-150600.16.3.1 as a component of openSUSE Leap 15.6 PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. In versions 0.6.12 and prior, the pam_pkcs11 module segfaults when a user presses ctrl-c/ctrl-d when they are asked for a PIN. When a user enters no PIN at all, `pam_get_pwd` will never initialize the password buffer pointer and as such `cleanse` will try to dereference an uninitialized pointer. On my system this pointer happens to have the value 3 most of the time when running sudo and as such it will segfault. The most likely impact to a system affected by this issue is an availability impact due to a daemon that uses PAM crashing. As of time of publication, a patch for the issue is unavailable. CVE-2025-24031 Image SLES15-SP6-Hardened-BYOS-GCE:pam_pkcs11-0.6.10-150600.16.3.1 Image SLES15-SP6-Hardened-BYOS:pam_pkcs11-0.6.10-150600.16.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:pam_pkcs11-0.6.10-150600.16.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:pam_pkcs11-32bit-0.6.10-150600.16.3.1 openSUSE Leap 15.6:pam_pkcs11-0.6.10-150600.16.3.1 openSUSE Leap 15.6:pam_pkcs11-32bit-0.6.10-150600.16.3.1 openSUSE Leap 15.6:pam_pkcs11-devel-doc-0.6.10-150600.16.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250689-1/ https://www.suse.com/security/cve/CVE-2025-24031.html CVE-2025-24031 https://bugzilla.suse.com/1237058 SUSE Bug 1237058 PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to *not* check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in `pam_pkcs11.conf`, set at least `cert_policy = signature;`. CVE-2025-24032 Image SLES15-SP6-Hardened-BYOS-GCE:pam_pkcs11-0.6.10-150600.16.3.1 Image SLES15-SP6-Hardened-BYOS:pam_pkcs11-0.6.10-150600.16.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:pam_pkcs11-0.6.10-150600.16.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:pam_pkcs11-32bit-0.6.10-150600.16.3.1 openSUSE Leap 15.6:pam_pkcs11-0.6.10-150600.16.3.1 openSUSE Leap 15.6:pam_pkcs11-32bit-0.6.10-150600.16.3.1 openSUSE Leap 15.6:pam_pkcs11-devel-doc-0.6.10-150600.16.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250689-1/ https://www.suse.com/security/cve/CVE-2025-24032.html CVE-2025-24032 https://bugzilla.suse.com/1237062 SUSE Bug 1237062