OATH Toolkit is a software suite that is primarily designed to implement OTP authentication systems. It includes libraries and command-line tools for generating both event-based (HOTP) and time-based (TOTP) OTPs.
Not only that even it also offers a “PAM module” for integrating OTP authentication into login processes.
SUSE Security Team researchers recently discovered a critical Oath-Toolkit vulnerability which has been tracked as “CVE-2024-47191” and this flaw enables threat actors to escalate privilege.
Oath-Toolkit Vulnerability
CVE-2024-47191 has been found in the oath-toolkit authentication system’s “Pluggable Authentication Module” (‘PAM’).
The flaw stems from unsafe file operations performed by “pam_oath.so” module when handling OTP authentication states in users’ “home directories.”
When configured with “usersfile=${HOME}/user.oath” in the “PAM stack,” the module would execute file operations with root privileges without proper ‘security checks.’
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
The vulnerability involved multiple unsafe operations, and here below we have mentioned them:-
- Using fopen() for reading usersfile.
- Creating lockfiles with “.lock” suffix.
- Implementing POSIX advisory locks via fcntl().
- Generating new usersfile with “.new” suffix.
- Applying fchown() for ownership changes.
- Performing rename() operations.
All these operations are operated while following symbolic links without verification. This security oversight allowed malicious users to exploit symbolic links (by creating “ln -s shadow $HOME/user.oath.new”) to overwrite critical system files like “shadow” and modify their ownership.
This enables unauthorized root privilege escalation without requiring “timing-sensitive race conditions” or “path guessing.”
The vulnerability was introduced in “oath-toolkit version 2.6.7” through commit “60d9902b5c” and affected through version 2.6.11.
It was initially reported by “SUSE engineer Fabian Vogt” and subsequently patched after coordinated disclosure efforts with the upstream maintainers.
The team of researchers developed a critical security patch for SUSE Linux to address multiple vulnerabilities in the PAM authentication system.
The patch focuses on resolving issues with the “usersfile” handling and its problematic locking mechanism.
All the key improvements include “implementing secure file traversal using the *at family of system calls,” “fixing broken lock file management that previously caused race conditions and lost updates,” and “adding protection against world-writable directory access.”
Researchers also enhanced the security by dropping privileges to match the “usersfile owner” and eliminated the need for separate “lock files” by implementing “direct file locking,” which prevents home directory clutter and NFS/CIFS network file system complications.
Besides this, the patch is Linux-specific due to its use of “/proc/self/fd” linking features, the upstream maintainers of oath-toolkit released “version 2.6.12” with an alternative which is a more portable cross-platform solution that addresses the core security vulnerability.
However, it’s not as comprehensive as “SUSE-specific implementation.”
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar
The post Critical Oath-Toolkit Vulnerability Let Attackers Escalate Privilege appeared first on Cyber Security News.