PT-2024-39562 · Authd+1 · Authd+1
Adrian Dombeck
+5
·
Published
2024-10-10
·
Updated
2025-03-01
·
CVE-2024-9312
CVSS v3.1
7.5
High
| Vector | AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Authd versions 0.3.6 and earlier
Description
A local attacker who can register user names could spoof another user's ID and gain their privileges due to insufficient randomization of user IDs. The issue arises from the
GenerateID method, which assigns user IDs as a pure function of the user name, and the set of UIDs is too small for pseudo-random assignment to work. This allows an adversary to register multiple users with colliding IDs or register a single user whose ID collides with a target user's. The attacker can bypass the uniqueness check by engineering a situation where the system administrator purges /var/cache, targeting a system account whose UID is in authd's range, or targeting an account that hasn't logged into a specific system in more than 6 months.Recommendations
For Authd versions 0.3.6 and earlier, consider the following:
- The simplest remediation path would be for the external IdP to provide a guaranteed-unique user ID in the correct range, commonly communicated through a claim in OIDC.
- If that is not possible, architectural changes to authd would likely be required, such as assigning user IDs from a small space that requires mutable state to ensure uniqueness, and synchronizing that mutable state across multiple machines. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Authd
Suse