The OATH Suite is a collection of software primarily crafted to establish OTP verification systems. It features libraries and command-line utilities for generating event-driven (HOTP) and time-based (TOTP) OTPs.
In addition to that, it also provides a “PAM module” to seamlessly integrate OTP authentication into login procedures.
A critical vulnerability in the Oath-Toolkit, tracked as “CVE-2024-47191,” was recently uncovered by the SUSE Security Team researchers. This flaw enables unauthorized privilege escalation by threat actors.
Oath-Toolkit Vulnerability
CVE-2024-47191 has been identified within the oath-toolkit authentication system’s “Pluggable Authentication Module” (‘PAM’).
The vulnerability arises from insecure file operations carried out by the “pam_oath.so” module while managing OTP authentication states in users’ “home directories.”
When configured with “usersfile=${HOME}/user.oath” in the “PAM stack,” the module executes file operations with root privileges without adequate ‘security checks.’
The vulnerability encompasses multiple insecure operations, as listed below:-
- Employing fopen() for reading usersfile.
- Establishing lockfiles with “.lock” suffix.
- Enforcing POSIX advisory locks through fcntl().
- Creating a new usersfile with “.new” suffix.
- Applying fchown() for altering ownership.
- Executing rename() operations.
These operations are carried out without verifying symbolic links. This security loophole enabled malicious users to exploit symbolic links (by creating “ln -s shadow $HOME/user.oath.new”) to overwrite crucial system files like “shadow” and adjust their ownership.
This allowed unauthorized escalation of root privileges without the need for “timing-sensitive race conditions” or “path guessing.”
The vulnerability was introduced in “oath-toolkit version 2.6.7” through commit “60d9902b5c” and persisted until version 2.6.11.
The issue was initially reported by “SUSE engineer Fabian Vogt” and subsequently addressed following coordinated disclosure efforts with the upstream maintainers.
A critical security patch was developed by the team of researchers for SUSE Linux to rectify various flaws in the PAM authentication system.
The patch primarily focuses on rectifying concerns related to the “usersfile” handling and its problematic locking mechanism.
All major enhancements involve “implementing secure file traversal using the *at family of system calls,” “fixing broken lock file management that previously caused race conditions and lost updates,” and “adding protection against world-writable directory access.”
In addition, researchers have bolstered security by downgrading privileges to match the “usersfile owner” and have eliminated the necessity for separate “lock files” by introducing “direct file locking,” thereby preventing home directory clutter and complications with NFS/CIFS network file systems.
Furthermore, the patch is specific to Linux due to its utilization of “/proc/self/fd” linking features, leading the upstream maintainers of the oath-toolkit to release “version 2.6.12” with an alternative, which serves as a more portable cross-platform solution addressing the core security vulnerability.
However, it does not offer the same level of comprehensive coverage as the “SUSE-specific implementation.”
The post Critical Oath-Toolkit Vulnerability Let Attackers Escalate Privilege appeared first on Cyber Security News.