A recently identified vulnerability in Ubuntu’s Authd, CVE-2024-9312, has raised significant security concerns.
The flaw, present through version 0.3.6, allows local attackers to spoof user IDs, potentially gaining unauthorized access to privileged accounts.
Cause of the Vulnerability – CVE-2024-9312
The root cause of this vulnerability lies in how Authd assigns user IDs. The system uses a deterministic method based on user names, which lacks sufficient randomness to prevent ID collisions.
According to the birthday paradox principle, this approach creates a high probability of collisions after approximately 54,562 IDs are assigned.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
Furthermore, Ubuntu’s Authd mechanism for ensuring ID uniqueness is limited to its local cache.
This cache can be inconsistent across systems within the same domain and may be purged regularly, especially if users have not logged into a specific system for over six months.
This inconsistency increases the risk of ID duplication and potential exploitation.
Impact and Exploitation
The impact of this vulnerability is significant. An attacker who can register user names can engineer situations where their created user ID collides with a target user’s. This can be achieved by:
- Purging the Cache: Encouraging system administrators to purge the /var/cache directory.
- Targeting System Accounts: Exploiting accounts whose UIDs fall within Authd’s range.
- Exploiting Inactive Accounts: Targeting accounts that haven’t logged into a specific system recently.
Once an attacker successfully logs in with a colliding ID, they gain the same privileges as the target user, potentially compromising sensitive data and system integrity.
To mitigate this vulnerability, it is recommended that external Identity Providers (IdPs) supply guaranteed-unique user IDs.
Various IdPs, such as LDAP and Active Directory, support this approach. If integrating with an external IdP is not feasible, architectural changes to Authd are necessary.
These changes should include managing mutable state to ensure uniqueness across systems and synchronizing this state for environments requiring uniform UIDs.
CVE-2024-9312 poses a high risk due to its potential impact on confidentiality, integrity, and availability.
Organizations using affected versions of Authd should prioritize implementing remediation strategies to safeguard their systems against unauthorized access and data breaches.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)