2316488 – (CVE-2024-47191) CVE-2024-47191 oath-toolkit: Local root exploit in a PAM module

Bug 2316488 (CVE-2024-47191) - CVE-2024-47191 oath-toolkit: Local root exploit in a PAM module

Summary: CVE-2024-47191 oath-toolkit: Local root exploit in a PAM module

Keywords:
Status:	NEW
Alias:	CVE-2024-47191
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2316489 2316494 2316490 2316491 2316492 2316493 2348752
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-04 15:39 UTC by OSIDB Bzimport
Modified:	2025-02-27 15:26 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-10-04 15:39:13 UTC

oath-toolkit[1] contains libraries and utilities for managing one-time password
(OTP) authentication e.g. as a second factor to password authentication. A couple of years ago, the module gained a feature which allows to place the OTP state file (called usersfile) in the home directory of the to-be-authenticated user. Fabian noticed that the PAM module performs unsafe file operations in users' home directories. Since PAM stacks typically run as root, this can easily cause security issues.

The feature in question has been introduced in oath-toolkit version 2.6.7 (via
commit 60d9902b5c [2]). The following report is based on the most recent
oath-toolkit release tag for version 2.6.11.

Note You need to log in before you can comment on or make changes to this bug.