CVE-2024-47191: OATH Toolkit Bug Exposes Systems to Attack

A recently discovered vulnerability in OATH Toolkit, identified as CVE-2024-47191, allows attackers to escalate their privileges to the level of a superuser. This vulnerability was found in the “Pluggable Authentication Module” (PAM), which is used to integrate OTP authentication into login systems.

The issue arose due to insecure file handling within the user’s home directory when using the “pam_oath.so” module in PAM. Specifically, when the parameter “usersfile=${HOME}/user.oath” was configured, operations were performed with root privileges but lacked proper security checks. This allowed attackers to create symbolic links to critical system files, such as “shadow,” enabling them to overwrite these files and change ownership rights.

The vulnerability was introduced in version 2.6.7 and affected all subsequent versions up to 2.6.11. It was discovered by Fabian Vogt, a researcher from SUSE, and following coordinated efforts with the OATH Toolkit developers, an updated version 2.6.12 was released to address the issue.

The patch, developed by the SUSE team, focuses on fixing errors in the file-locking mechanism and ensures protection against symbolic link attacks. The changes also include secure file handling via system calls and enhanced protection against race conditions.

However, the SUSE patch is designed for Linux and utilizes specific functions like “/proc/self/fd,” while a more universal version for other platforms was released by the OATH Toolkit developers.

Vulnerabilities in authentication systems underscore the importance of regular security audits and timely software updates. Organizations should diligently monitor patch releases, particularly for critical components, and implement rapid response processes to address emerging threats.