pam_authnft Heap Buffer Over-Read Vulnerability in NETLINK_SOCK_DIAG Reply Processing

A heap buffer over-read vulnerability has been identified in the pam_authnft PAM session module, prior to version 0.2.0-alpha. The issue arises in the peer_lookup_tcp function, where a crafted NETLINK_SOCK_DIAG reply can bypass the message-size validation. This allows for a dereference beyond the allocated buffer, potentially leading to memory corruption.

Impact

Exploitation of this vulnerability causes a heap buffer over-read, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a crafted NETLINK_SOCK_DIAG reply that exploits the message-size check. This can be done by a process with CAP_NET_ADMIN privileges on the same host, such as a misbehaving daemon or a malicious container.

Remediation

Users are advised to upgrade to pam_authnft version 0.2.0-alpha or later. As a temporary workaround, do not configure rhost_policy=kernel; the default rhost_policy=pam does not exercise the netlink path.