CVE-2024-10963: pam_access Auth Bypass Vulnerability

CVE-2024-10963 Overview

A significant authentication bypass vulnerability has been discovered in pam_access, a critical PAM (Pluggable Authentication Modules) component used for access control on Linux systems. The flaw exists in how pam_access parses and interprets certain rules in its configuration file (/etc/security/access.conf), where specific entries are mistakenly treated as hostnames rather than their intended purpose.

This vulnerability allows attackers to spoof trusted hostnames and bypass access control restrictions, potentially gaining unauthorized access to systems, services, or terminals that rely on pam_access for authentication decisions.

Critical Impact

Attackers can impersonate trusted hosts to bypass PAM access controls, gaining unauthorized system access on Linux environments relying on pam_access for host-based authentication.

Affected Products

• Linux-PAM (pam_access module)
• Red Hat Enterprise Linux (multiple versions)
• Linux distributions using affected PAM versions

Discovery Timeline

• November 7, 2024 - CVE-2024-10963 published to NVD
• February 6, 2025 - Last updated in NVD database

Technical Details for CVE-2024-10963

Vulnerability Analysis

The vulnerability is classified under CWE-287 (Improper Authentication), indicating a fundamental flaw in how authentication decisions are made within the pam_access module. The issue stems from improper parsing logic in the access control configuration file handler.

When processing access rules defined in /etc/security/access.conf, the pam_access module incorrectly interprets certain configuration entries as hostnames. This misinterpretation creates a window where an attacker can craft requests that appear to originate from trusted hosts, effectively circumventing the intended access control policy.

The attack requires network access but involves high complexity to successfully exploit. No user interaction is required, and the vulnerability can be exploited without prior authentication or privileges. A successful attack can result in high impact to both confidentiality and integrity, as attackers could access restricted services or terminals.

Root Cause

The root cause lies in the parsing logic within pam_access that handles configuration rules. The module fails to properly distinguish between different types of access control entries, leading to certain rules being incorrectly processed as hostname-based access decisions. This parsing error allows hostname spoofing attacks to succeed where they should be rejected.

Attack Vector

The attack is network-based and involves the following general approach:

1. An attacker identifies a target system using pam_access for host-based access control
2. The attacker analyzes or guesses the access control rules configured in /etc/security/access.conf
3. By crafting authentication requests that exploit the hostname misinterpretation bug, the attacker can make their connection appear to originate from a trusted host
4. The pam_access module incorrectly validates the spoofed hostname, granting access that should be denied

The vulnerability is particularly dangerous for systems that rely heavily on hostname-based access restrictions for services such as SSH, console login, or other PAM-authenticated services.

Detection Methods for CVE-2024-10963

Indicators of Compromise

• Unexpected successful authentications from unrecognized or suspicious source hosts in PAM logs
• Anomalous login patterns to restricted services or terminals
• Authentication events that bypass expected access control rules in /var/log/secure or /var/log/auth.log
• Discrepancies between configured access rules and actual authentication outcomes

Detection Strategies

• Monitor PAM authentication logs for successful logins from hosts not matching trusted hostname patterns
• Implement network-level monitoring to detect hostname spoofing attempts
• Audit access control configuration files for rules that may be vulnerable to misinterpretation
• Deploy intrusion detection rules to identify suspicious authentication patterns

Monitoring Recommendations

• Enable verbose PAM logging to capture detailed authentication decisions
• Correlate network connection metadata with PAM authentication events to detect hostname inconsistencies
• Implement alerting for authentication successes from hosts not on approved lists
• Regularly review and audit pam_access configuration files for proper rule syntax

How to Mitigate CVE-2024-10963

Immediate Actions Required

• Apply the latest PAM security updates from your Linux distribution vendor
• Review and audit current /etc/security/access.conf configuration for potentially affected rules
• Consider implementing additional authentication layers beyond hostname-based access control
• Monitor authentication logs closely for signs of exploitation attempts

Patch Information

Red Hat has released multiple security advisories addressing this vulnerability. Affected systems should be updated using the appropriate advisory for their distribution version:

• Red Hat Security Advisory RHSA-2024:10232
• Red Hat Security Advisory RHSA-2024:10244
• Red Hat Security Advisory RHSA-2024:10379
• Red Hat Security Advisory RHSA-2024:10518
• Red Hat Security Advisory RHSA-2024:10528
• Red Hat Security Advisory RHSA-2024:10852

Additional technical details are available at the Red Hat CVE Analysis page and Red Hat Bug Report #2324291.

Workarounds

• Supplement pam_access with IP-based firewall rules rather than relying solely on hostname verification
• Use pam_access rules with explicit IP addresses instead of hostnames where possible
• Implement network segmentation to limit exposure of vulnerable services
• Consider using certificate-based or key-based authentication in addition to host-based access controls

# Example: Update PAM packages on Red Hat-based systems
sudo dnf update pam

# Example: Verify current PAM version after update
rpm -qa | grep pam

# Example: Review current pam_access configuration
cat /etc/security/access.conf