OpenSC PAM-PKCS#11 Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in the OpenSC PAM-PKCS#11 module, prior to version 0.6.13. This module allows X.509 certificate-based user login. When the 'cert_policy' is set to 'none' (the default), the module only verifies if a user can log into the token. This creates an opportunity for an attacker to craft a token using the user's public data, such as their certificate, and a PIN known to them. If the private key's signature is not required for authentication, the attacker can log in as the user with the forged token. This vulnerability affects all versions of PAM-PKCS#11 starting from 0.6.0, with the exception of 0.6.13, which includes the necessary fix.

Impact

Exploitation of this vulnerability allows attackers to authenticate as users without possessing the corresponding private keys, potentially leading to unauthorized access or privilege escalation on systems using PKCS#11-based PAM authentication.

Reproduction

To reproduce this vulnerability, ensure that the PAM-PKCS#11 module is installed and configured with the default 'cert_policy' setting of 'none'. An attacker can then create a token with a user's public certificate and a known PIN, bypassing authentication if the private key signature is not checked.

Remediation

Users can mitigate this vulnerability by updating to PAM-PKCS#11 version 0.6.13 or later. For those unable to update, the 'cert_policy' setting can be changed to 'signature' in the PAM-PKCS#11 configuration file.