Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <643e3e53-6d68-4a16-9933-cdb13aecea42@gmail.com>
Date: Thu, 6 Feb 2025 22:48:53 -0600
From: Jacob Bachmeyer <jcb62281@...il.com>
To: oss-security@...ts.openwall.com, Matthias Gerstner <mgerstner@...e.de>
Subject: Re: pam_pkcs11: Possible Authentication Bypass in Error Situations
 (CVE-2025-24531)

On 2/6/25 08:55, Matthias Gerstner wrote:
> [...]
>
> On the use of `PAM_SUCCESS`
> ---------------------------
>
> PAM modules that only serve utility functions but do not actually
> authenticate could consider not returning `PAM_SUCCESS` but `PAM_IGNORE`
> instead. This would avoid unintended successful authentication in a
> situation like described in this report. It seems natural to PAM module
> authors to return `PAM_SUCCESS` if nothing in their module failed,
> however. A lot of modules work this way and changing them all would be a
> big effort.

I have pruned the entire quote down to that paragraph because that is 
the root cause of this and other issues.  A similar issue occurred two 
weeks ago with pam-u2f (CVE-2025-23013) and the same problem of utility 
modules returning PAM_SUCCESS despite not actually authenticating anything.

These problems are going to keep happening as long as utility modules 
continue to misuse PAM_SUCCESS.

There might be a possible workaround of adding a new keyword "utility" 
or "hook" to PAM that ignores success but fails on actual failure and 
using that with utility modules.


-- Jacob

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.