Re: pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531)

[Jacob Bachmeyer <jcb62281 () gmail com>]

On 2/6/25 08:55, Matthias Gerstner wrote:
> [...]
>
> On the use of `PAM_SUCCESS`
> ---------------------------
>
> PAM modules that only serve utility functions but do not actually
> authenticate could consider not returning `PAM_SUCCESS` but `PAM_IGNORE`
> instead. This would avoid unintended successful authentication in a
> situation like described in this report. It seems natural to PAM module
> authors to return `PAM_SUCCESS` if nothing in their module failed,
> however. A lot of modules work this way and changing them all would be a
> big effort.

I have pruned the entire quote down to that paragraph because that is 
the root cause of this and other issues.  A similar issue occurred two 
weeks ago with pam-u2f (CVE-2025-23013) and the same problem of utility 
modules returning PAM_SUCCESS despite not actually authenticating anything.

These problems are going to keep happening as long as utility modules 
continue to misuse PAM_SUCCESS.

There might be a possible workaround of adding a new keyword "utility" 
or "hook" to PAM that ignores success but fails on actual failure and 
using that with utility modules.


-- Jacob