2291438 – (CVE-2024-37408) CVE-2024-37408 fprintd: unexpected actions might be authorized with fingerprint reader

Bug 2291438 (CVE-2024-37408) - CVE-2024-37408 fprintd: unexpected actions might be authorized with fingerprint reader

Summary: CVE-2024-37408 fprintd: unexpected actions might be authorized with fingerpri...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2024-37408
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2291439
Blocks:	2291437
TreeView+	depends on / blocked

Reported:	2024-06-12 06:05 UTC by Rohit Keshri
Modified:	2024-06-28 06:31 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-06-28 06:31:11 UTC
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-06-12 06:05:22 UTC

fprintd through 1.94.3 lacks a security attention mechanism, and thus unexpected actions might be authorized by "auth sufficient pam_fprintd.so" for Sudo.

https://gitlab.freedesktop.org/libfprint/fprintd/-/releases
https://lists.freedesktop.org/archives/fprint/2024-May/001231.html
https://www.openwall.com/lists/oss-security/2024/05/30/3

Comment 2 Rohit Keshri 2024-06-12 06:15:07 UTC

Created fprintd tracking bugs for this issue:

Affects: fedora-all [bug 2291439]

Comment 4 Benjamin Berg 2024-06-12 07:16:11 UTC

As I have said before, there is nothing that fprind can do about this. The reporter is asking for something that is impossible to implement/ensure for the fprintd stack.

This is a fundamental problem with how PAM. The simple way to avoid it is to just not permit fingerprint authentication for "sudo" and on the console, but to only do it for PolicyKit and graphical login.

There is *nothing* that fprintd can do about this.

Note You need to log in before you can comment on or make changes to this bug.