========================================================================== Ubuntu Security Notice USN-7363-1 March 20, 2025
pam-pkcs11 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: PAM-PKCS#11 could be used to bypass authentication. Software Description: - pam-pkcs11: Fully featured PAM module for using PKCS#11 smart cards Details: Marcus Rückert and Matthias Gerstner discovered that PAM-PKCS#11 did not properly handle certain return codes when authentication was not possible. An attacker could possibly use this issue to bypass authentication. This issue only affected Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2025-24531) It was discovered that PAM-PKCS#11 did not require a private key signature for authentication by default. An attacker could possibly use this issue to bypass authentication. (CVE-2025-24032) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 libpam-pkcs11 0.6.12-2ubuntu0.24.10.1 Ubuntu 24.04 LTS libpam-pkcs11 0.6.12-2ubuntu0.24.04.1 Ubuntu 22.04 LTS libpam-pkcs11 0.6.11-4ubuntu0.1 Ubuntu 20.04 LTS libpam-pkcs11 0.6.11-2ubuntu0.1 Ubuntu 18.04 LTS libpam-pkcs11 0.6.9-2ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS libpam-pkcs11 0.6.8-4ubuntu0.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7363-1 CVE-2025-24032, CVE-2025-24531 Package Information: https://launchpad.net/ubuntu/+source/pam-pkcs11/0.6.12-2ubuntu0.24.10.1 https://launchpad.net/ubuntu/+source/pam-pkcs11/0.6.12-2ubuntu0.24.04.1 https://launchpad.net/ubuntu/+source/pam-pkcs11/0.6.11-4ubuntu0.1 https://launchpad.net/ubuntu/+source/pam-pkcs11/0.6.11-2ubuntu0.1
OpenPGP_signature.asc
Description: OpenPGP digital signature
