Summary
CVE description:
Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges.
----- original report -----
Cause
authd assigns user IDs as a pure function of the user name. Moreover, the set of UIDs is much too small for pseudo-random assignment to work: the birthday bound predicts random collisions will occur with probability 50% after only 54 562 IDs were assigned.
authd only checks for uniqueness within its local cache, which
- may be inconsistent across multiple systems within the same domain ;
- may be purged, due to being stored in
/var/cache; - automatically removes entries of users who have not logged into that specific system within the last 6 months.
The current GenerateID method, authored in September 2024 (commit a6c85ed24b8d17a2d11c859e8d70f5a52fa69690),
repeatedly hashes the user name until the 4 leading bytes fall into the interval [60 000; 2³¹[ :
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/users/manager.go#L425
https://github.com/ubuntu/authd/blob/f9f851540e6377fca18a45ce7a02d024c1dbd6e9/internal/services/nss/nss.go#L188
Previous versions are affected by similar issues, though without the use of a cryptographic hash in GenerateID, making exploitation computationally-easier.
Acknowledgements
Thanks to Michael Gebetsroither for assisting with the writeup, and Jamie Bliss for the same as well as investigating when the issue was introduced in authd.
Impact
Since GenerateID is a pure function with no secret input, and the set of UIDs is small, an adversary which can register users with chosen names can
- register multiple users with colliding IDs, or
- register a single user whose ID collides with a target user's, whether one managed by
authd, or a system user whose well-known ID is in a range which overlapsauthd's.
In the latter case, as all access control performed by the Linux kernel (and other Unices' kernels) is based on IDs and not usernames, if the attacker can sign into a system, they will have the same privileges as the target user. The attacker can bypass the uniqueness check in (at least) the following ways:
- engineer a situation where the system administrator purges
/var/cache; - target a system account whose UID is in
authd's range ; - target an account which hasn't logged into a specific system in more than 6 months.
Note that this isn't limited to inactive accounts within the entire domain, and impersonation on a given system can potentially be leveraged to compromise the target account on other systems; for example:- user
aliceis known to log into1.example.com; - the attacker computes a preimage (a username which yields the same UID), let's call it
bob; - the attacker creates the account
boband logs into2.example.com, succeeding if alice hasn't (recently) logged into that system ; - the attacker can now manipulate resources exposed on
2as if they were alice; assuming/homeis shared, they could manipulate~alice/.ssh/authorized_keys,~alice/.config, alice's shell's initialization file, etc.
Note: NFSv4'sidmapmechanism may prevent this, but isn't enabled by default (unless Kerberos is used, which isn't the case in anauthddeployment) - at that point, gaining code execution as alice on
1.example.comis usually trivial.
- user
Since the necessary computation can be performed entirely offline, this wouldn't be affected by any rate-limits, and the only audit trail would be a single user registration. This would require on average less than 2³¹ computations of GenerateID: assuming SHA-256's cost is 25 cycles-per-byte, a clock speed of 3GHz, and short (≤32B) generated usernames, this is less than 10 minutes of a single core's time.
CVE-2024-9312 has a CVSS score of 7.5 (Medium). The vector is requires local access, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The simplest and likely-best remediation path would be for the external IdP to provide a guaranteed-unique user ID in the correct range.
In OIDC, this is commonly communicated through a claim, though its name would need to be configurable as there's no real standard:
- CERN uses
cern_person_id: https://auth.docs.cern.ch/user-documentation/oidc/config/ ; - Okta, Zitadel, and many other IdPs, require the realm's administrator to define a custom attribute, conventionally called
uidoruidNumber; - etc.
This is also supported by other commonplace identity providers, such as LDAP and Active Directory:
https://learn.microsoft.com/en-us/windows/win32/adschema/a-uidNumber
MS Entra presumably supports this as well.
If that is not possible for some reason, architectural changes to authd would likely be required:
assigning user IDs from a small space (such as Linux's 32b UIDs) requires mutable state to ensure uniqueness, whereas authd's design currently assumes no mutable state is held, aside from some transient, local cache.
Moreover, that mutable state may need to be synchronised across multiple machines as uniform UIDs are often necessary, for instance when accessing a common networked filesystem.
Frequently Asked Questions
- What is CVE-2024-9312? CVE-2024-9312 is a medium-severity security vulnerability in github.com/ubuntu/authd (go), affecting versions <= 0.0.0-20230706090440-d8cb2d561419. No fixed version is listed yet.
- How severe is CVE-2024-9312? CVE-2024-9312 has a CVSS score of 7.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/ubuntu/authd are affected by CVE-2024-9312? github.com/ubuntu/authd (go) versions <= 0.0.0-20230706090440-d8cb2d561419 is affected.
- Is there a fix for CVE-2024-9312? No fixed version is listed for CVE-2024-9312 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2024-9312 exploitable, and should I be worried? Whether CVE-2024-9312 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-9312 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.