In February 2025, security researchers identified three critical vulnerabilities in the Linux Pluggable Authentication Modules (Linux PAM), PAM-PKCS#11 module, a widely used Linux-PAM login module facilitating X.509 certificate-based user authentication. These vulnerabilities, designated as CVE-2025-24032, CVE-2025-24531, and CVE-2025-24031, pose significant security risks by allowing attackers to bypass authentication mechanisms or cause denial of service.

CVE-2025-24031 affects versions 0.6.12 and prior, where the module experiences a segmentation fault if a user cancels the PIN entry process (by pressing Ctrl-C or Ctrl-D). This leads to a denial of service as the system crashes, impacting availability.

CVE-2025-24032 affects versions of PAM-PKCS#11 prior to 0.6.13. When the cert policy is set to none (the default setting), the module verifies if a user can log into the token without checking the private key’s signature. This flaw enables an attacker to create a token with the user’s public certificate and a known PIN, thereby logging in as the user without needing the private key.
 
CVE-2025-24531 was introduced in version 0.6.12 and fixed in version 0.6.13. This vulnerability allows for an authentication bypass in error situations, particularly when memory allocation fails or during incorrect privilege changes. The module returns PAM_IGNORE, which can lead to an authentication bypass if the no-user-ok option is enabled, allowing attackers to log in without proper verification.

This article discusses the impact of these vulnerabilities in the current versions of CA PAM.

CA PAM: 4.1.x and 4.2.x version.

CA PAM does not make use of 'Linux-pam' (Linux Pluggable Authentication Modules) for user authentication and authorization, hence it's not impacted with the above referenced vulnerabilities.