Security Vulnerability Report
中文
CVE-2025-24531 CVSS 6.7 MEDIUM

CVE-2025-24531

Published: 2026-01-16 18:16:07
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass.

CVSS Details

CVSS Score
6.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

OpenSC pam_pkcs11 < 0.6.13

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-24531 PoC - OpenSC pam_pkcs11 Authentication Bypass // This PoC demonstrates the vulnerability where pam_sm_authenticate() // incorrectly returns PAM_IGNORE on error conditions #include <stdio.h> #include <security/pam_appl.h> // Simulate the vulnerable behavior int vulnerable_pam_sm_authenticate() { int smartcard_error = 1; // Simulate smartcard error if (smartcard_error) { // VULNERABLE: Returns PAM_IGNORE instead of proper error return PAM_IGNORE; // This allows authentication bypass } return PAM_AUTH_ERR; } // Exploitation scenario: // 1. Attacker has local access to system with smartcard reader // 2. During login, attacker triggers smartcard error (remove card, wrong PIN) // 3. pam_sm_authenticate() returns PAM_IGNORE // 4. PAM skips this module, allows fallback authentication // 5. Attacker bypasses smartcard authentication int main() { int result = vulnerable_pam_sm_authenticate(); if (result == PAM_IGNORE) { printf("VULNERABLE: PAM_IGNORE returned - Authentication bypass possible!\n"); } return 0; } // Mitigation: Upgrade to OpenSC pam_pkcs11 >= 0.6.13 // The fix ensures proper error handling and returns appropriate error codes

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-24531", "sourceIdentifier": "[email protected]", "published": "2026-01-16T18:16:06.817", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass."}, {"lang": "es", "value": "En OpenSC pam_pkcs11 anterior a 0.6.13, pam_sm_authenticate() devuelve erróneamente PAM_IGNORE en muchas situaciones de error (como un error provocado por una tarjeta inteligente antes del inicio de sesión), lo que permite la omisión de autenticación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.4, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-393"}]}], "references": [{"url": "https://github.com/OpenSC/pam_pkcs11/releases", "source": "[email protected]"}, {"url": "https://github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-7mf6-rg36-qgch", "source": "[email protected]"}, {"url": "https://www.openwall.com/lists/oss-security/2025/02/06/3", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/02/06/3", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2025/02/06/7", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.