CVE-2024-47191 : pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privi

pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink.

Published 2024-10-09 05:15:13

Updated 2024-10-10 12:51:57

Source MITRE

View at NVD, CVE.org

Vulnerability category: Gain privilege

Products affected by CVE-2024-47191

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2024-47191

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 17 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-47191

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.1	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	1.8	5.2	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-10-09
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None
7.1	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	N/A	N/A	RedHat-CVE-2024-47191	2024-10-05
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2024-47191

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2024-47191

https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/3235a52f6b87cd1c5da6508f421ac261f5e33a70

Improve liboath usersfile write handling. (3235a52f) · Commits · oath-toolkit / oath-toolkit · GitLab
https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/3271139989fde35ab0163b558fc29e80c3a280e5

Use gnulib's fopen-gnu instead of fopen, for cross-platform fopen(wx). (32711399) · Commits · oath-toolkit / oath-toolkit · GitLab
https://www.nongnu.org/oath-toolkit/security/CVE-2024-47191
https://security.opensuse.org/2024/10/04/oath-toolkit-vulnerability.html

oath-toolkit: privilege escalation in pam_oath.so (CVE-2024-47191) | SUSE Security Team Blog
https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/95ef255e6a401949ce3f67609bf8aac2029db418

pam_oath: When usersfile contains ${HOME} drop privs to user. (95ef255e) · Commits · oath-toolkit / oath-toolkit · GitLab
https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/43

Privilege escalation issue in pam_oath with usersfile in ${HOME} (#43) · Issues · oath-toolkit / oath-toolkit · GitLab
https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/60d9902b5c20f27e70f8e9c816bfdc0467567e1a

Added support for user based placeholder values in pam_oath usersfile string. (60d9902b) · Commits · oath-toolkit / oath-toolkit · GitLab
https://www.openwall.com/lists/oss-security/2024/10/04/2

oss-security - CVE-2024-47191: Local root exploit in the PAM module pam_oath.so

Jump to

Vulnerability Details : CVE-2024-47191

Products affected by CVE-2024-47191

Exploit prediction scoring system (EPSS) score for CVE-2024-47191

CVSS scores for CVE-2024-47191

CWE ids for CVE-2024-47191

References for CVE-2024-47191