{"id":"CVE-2025-24032","summary":"PAM-PKCS#11 vulnerable to authentication bypass with default value for `cert_policy` (`none`)","details":"PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to *not* check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in `pam_pkcs11.conf`, set at least `cert_policy = signature;`.","aliases":["GHSA-8r8p-7mgp-vf56"],"modified":"2026-04-12T14:03:50.965106Z","published":"2025-02-10T15:43:47.166Z","related":["SUSE-SU-2025:0688-1","SUSE-SU-2025:0689-1","SUSE-SU-2025:0712-1","SUSE-SU-2025:20199-1","openSUSE-SU-2025:14738-1"],"database_specific":{"cwe_ids":["CWE-287"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24032.json"},"references":[{"type":"WEB","url":"https://github.com/OpenSC/pam_pkcs11/releases/tag/pam_pkcs11-0.6.13"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/02/msg00021.html"},{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/cve-2025-24032-detect-vulnerability-in-linux-pam-module"},{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/cve-2025-24032-mitigate-linux-pam-module-vulnerability"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24032.json"},{"type":"ADVISORY","url":"https://github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-8r8p-7mgp-vf56"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24032"},{"type":"FIX","url":"https://github.com/OpenSC/pam_pkcs11/commit/470263258d1ac59c5eade439c4d9caba0097e6e6"},{"type":"FIX","url":"https://github.com/OpenSC/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48"},{"type":"FIX","url":"https://github.com/OpenSC/pam_pkcs11/commit/d9530167966a77115db6e885d459382a2e52ee9e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opensc/pam_pkcs11","events":[{"introduced":"0"},{"fixed":"470263258d1ac59c5eade439c4d9caba0097e6e6"}]},{"type":"GIT","repo":"https://github.com/opensc/pam_pkcs11","events":[{"introduced":"0"},{"fixed":"b665b287ff955bbbd9539252ff9f9e2754c3fb48"}]},{"type":"GIT","repo":"https://github.com/opensc/pam_pkcs11","events":[{"introduced":"0"},{"fixed":"d9530167966a77115db6e885d459382a2e52ee9e"}]}],"versions":["pam_pkcs11-0.6.10","pam_pkcs11-0.6.11","pam_pkcs11-0.6.12","pam_pkcs11-0.6.7","pam_pkcs11-0.6.8","pam_pkcs11-0.6.9"],"database_specific":{"vanir_signatures_modified":"2026-04-12T14:03:50Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24032.json","vanir_signatures":[{"id":"CVE-2025-24032-489de05a","source":"https://github.com/opensc/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48","signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["151700747521517891659729709967982683513","155433363942181332091246379604298301257","20279298570616699901817533031451809639","57522534658047236522562859545889733993"]},"target":{"file":"src/common/cert_vfy.h"},"deprecated":false},{"id":"CVE-2025-24032-65bf1cc9","source":"https://github.com/opensc/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48","signature_type":"Function","signature_version":"v1","digest":{"length":15158,"function_hash":"72190400424515094119833472146530578125"},"target":{"function":"pam_sm_authenticate","file":"src/pam_pkcs11/pam_pkcs11.c"},"deprecated":false},{"id":"CVE-2025-24032-b5e3c172","source":"https://github.com/opensc/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48","signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["290146616162374221300161178135830076997","20068430549440856494065580391720171240","214429918931596631897216676562145101774","142974979708346486280742106783770991024","193543140717988539361319785771758213400","20486857534504327986875387656389945364","86081338461863242832398427138116031895","37596548859457925737165125593494940502","15457785330416512057296965641574595504","155966127907119332844296644686198601442","163180349516981912241072510392896394154","83572812941496633107091511644223164105","314595662186312060285607415982954819731","254964277387483681167815041923030936855","78739880746942918013341772067412120520","30668562654035788339540207101809388748","145167318254280756197696987166267691315","53414933111005210984932524659156056797","230671152404615704919132530043704672641","315305519197885230156093867887509660849"]},"target":{"file":"src/pam_pkcs11/pam_config.c"},"deprecated":false},{"id":"CVE-2025-24032-c704b25c","source":"https://github.com/opensc/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48","signature_type":"Function","signature_version":"v1","digest":{"length":1342,"function_hash":"47228991939016772297751132165787882447"},"target":{"function":"display_config","file":"src/pam_pkcs11/pam_config.c"},"deprecated":false},{"id":"CVE-2025-24032-d1a3e4a5","source":"https://github.com/opensc/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48","signature_type":"Function","signature_version":"v1","digest":{"length":4663,"function_hash":"288401070528153361740068278321323859684"},"target":{"function":"parse_config_file","file":"src/pam_pkcs11/pam_config.c"},"deprecated":false},{"id":"CVE-2025-24032-de34c661","source":"https://github.com/opensc/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48","signature_type":"Function","signature_version":"v1","digest":{"length":3643,"function_hash":"145984798239328870681428783942412182059"},"target":{"function":"pk_configure","file":"src/pam_pkcs11/pam_config.c"},"deprecated":false},{"id":"CVE-2025-24032-f278750e","source":"https://github.com/opensc/pam_pkcs11/commit/b665b287ff955bbbd9539252ff9f9e2754c3fb48","signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["77555064945292383508024947511747825428","269766075445751107955057585118914535665","52438552029501315486029566086707084431","98648456045477927480157131874371832496"]},"target":{"file":"src/pam_pkcs11/pam_pkcs11.c"},"deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L"}]}