Identifying Insufficient User ID Randomization in Authd
CVE-2024-9312

7.5HIGH

Key Information:

Vendor

Canonical Ltd.

Status
Authd
Vendor
CVE Published:
10 October 2024

What is CVE-2024-9312?

An authentication vulnerability exists in Authd, up to version 0.3.6, where insufficient randomization of user IDs can lead to collisions. This flaw allows a local attacker, capable of registering usernames, to spoof another user's ID, subsequently gaining unauthorized access to their privileges. This situation poses a significant risk to user security and data integrity, necessitating immediate remediation.

Affected Version(s)

Authd Linux 0 < 0.3.6

References

https://github.com/ubuntu/authd/security/advisories/GHSA-...
issue-tracking
https://www.cve.org/CVERecord?id=CVE-2024-9312
issue-tracking

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

nicoo
Michael Gebetsroither
Jamie Bliss
Adrian Dombeck
Mark Esler
.
CVE-2024-9312 : Identifying Insufficient User ID Randomization in Authd