CVE-2025-24032

Name of the Vulnerable Software and Affected Versions pam pkcs11 versions 0.6.0 through 0.6.12

Description PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. If cert policy is set to none (the default value), then pam pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. Approximately 11% of new vulnerabilities are related to improper authentication, with this issue being one of them.

Recommendations For versions 0.6.0 through 0.6.12, as a workaround, in pam pkcs11.conf, set at least cert policy = signature;. This change will ensure that the private key's signature is checked, preventing potential unauthorized access.