Authd · Authd · CVE-2024-9312
**Name of the Vulnerable Software and Affected Versions**
Authd versions 0.3.6 and earlier
**Description**
A local attacker who can register user names could spoof another user's ID and gain their privileges due to insufficient randomization of user IDs. The issue arises from the `GenerateID` method, which assigns user IDs as a pure function of the user name, and the set of UIDs is too small for pseudo-random assignment to work. This allows an adversary to register multiple users with colliding IDs or register a single user whose ID collides with a target user's. The attacker can bypass the uniqueness check by engineering a situation where the system administrator purges `/var/cache`, targeting a system account whose UID is in `authd`'s range, or targeting an account that hasn't logged into a specific system in more than 6 months.
**Recommendations**
For Authd versions 0.3.6 and earlier, consider the following:
- The simplest remediation path would be for the external IdP to provide a guaranteed-unique user ID in the correct range, commonly communicated through a claim in OIDC.
- If that is not possible, architectural changes to authd would likely be required, such as assigning user IDs from a small space that requires mutable state to ensure uniqueness, and synchronizing that mutable state across multiple machines.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.