CVE-2024-10041: Pam: libpam: libpam vulnerable to read hashed password

Published Oct 16, 2024
·
Updated

A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.

Other sources

A vulnerability was found in PAM. The secret is in memory, while the attacker can trigger the victim program to execute by sending characters to its stdin. In-between, they then train the branch predictor to speculatively execute a ROP chain.

Moreover, when stdin is a pipe or file, the FILE IO buffer malloc'd will receive the just-freed IO buffer that was used to read /etc/shadow, so it is also possible to have the secret conveniently available in the uninitialized memory of the stdin's FILE buf.=20

This makes several registers reference the /etc/shadow contents during the read-loop of the fgets call that the polkit agent uses in the pam conversation.=20

The attack is difficult to pull of: - Attacker needs to find a gadget chain in the mapped-in executable memory of the victim - Attacker needs to trigger TLB entries to be prefetched to win the race and fit the transient operations in the misspeculation window. - Attacker needs to tweak the attack to break ASLR. This they also can do using Spectre as well.

Red Hat

Pam: libpam: libpam vulnerable to read hashed password

Microsoft

Affected Software

6 affected componentsFixes available
All of the following
Linux-PAM Linux-PAM
Any of the following
redhat Enterprise Linux=7.0
redhat Enterprise Linux=8.0
redhat Enterprise Linux=9.0
Microsoft cbl2 pam 1.5.1-7
Patch available
Microsoft azl3 pam 1.5.3-4
Patch available

Event History

Oct 16, 2024
Data Sourced
via Red Hat·03:23 PM
DescriptionSeverityAffected Software
Oct 23, 2024
CVE Published
via MITRE·01:46 PM
Data Sourced
via MITRE·01:46 PM
DescriptionSeverityWeakness
Jan 10, 2025
Data Sourced
via Microsoft·08:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·08:00 AM
Affected Software
Updated
via Microsoft·08:00 AM
Affected Software
Updated
via Microsoft·08:00 AM
DescriptionSeverity
May 2, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-10041?

CVE-2024-10041 is classified as a high severity vulnerability due to the potential for an attacker to exploit it to execute arbitrary code.

2

How do I fix CVE-2024-10041?

To fix CVE-2024-10041, users should update to the latest version of PAM that addresses this vulnerability.

3

What does CVE-2024-10041 affect?

CVE-2024-10041 affects Linux PAM implementations, particularly in environments using vulnerable versions of Red Hat Enterprise Linux.

4

Who can be affected by CVE-2024-10041?

Users and systems running vulnerable versions of Linux PAM on Red Hat Enterprise Linux are at risk of exploitation due to CVE-2024-10041.

5

Is there a workaround for CVE-2024-10041?

Currently, the recommended approach is to apply updates, as there are no effective workarounds documented for CVE-2024-10041.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203