Identifying Insufficient User ID Randomization in Authd
CVE-2024-9312

7.5HIGH

Key Information:

Vendor: Canonical Ltd.
Status: Authd
Vendor: CVE Published:; 10 October 2024

Summary

An authentication vulnerability exists in Authd, up to version 0.3.6, where insufficient randomization of user IDs can lead to collisions. This flaw allows a local attacker, capable of registering usernames, to spoof another user's ID, subsequently gaining unauthorized access to their privileges. This situation poses a significant risk to user security and data integrity, necessitating immediate remediation.

Affected Version(s)

Authd Linux 0 < 0.3.6

References

https://github.com/ubuntu/authd/security/advisories/GHSA-...

issue-tracking

https://www.cve.org/CVERecord?id=CVE-2024-9312

issue-tracking

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 10, 2024
Vulnerability Reserved
Sep 27, 2024

Credit

nicoo

Michael Gebetsroither

Jamie Bliss

Adrian Dombeck

Mark Esler