PAM: PAM insecure storage of secret information leading to speculative ROP chain exploitation (CVE-2024-10041) #shorts

Summary

CVE-2024-10041 is a speculative-execution side-channel flaw in PAM (Pluggable Authentication Modules) that can expose sensitive data such as shadow passwords. An attacker who can feed input to a PAM-using process’s standard input can train the CPU’s branch predictor and trigger an ROP chain speculatively, causing secret data held in memory to leak.

Product details

This issue affects PAM releases prior to version 1.6.0 (semver). It impacts Linux distributions that bundle unpatched PAM libraries. SUSE has issued a moderate security update to its AppArmor profiles and PAM packages to block exploitation, and other vendors (including Red Hat) have released patches or declared their shipped versions unaffected.

Vulnerability type summary

CVE-2024-10041 is classified as "Insecure Storage of Sensitive Information" plus a speculative-execution side-channel (Spectre-style) vulnerability. The bug arises from sensitive data remaining in memory after use and being indirectly exposed via microarchitectural behavior.

Details of the vulnerability

When PAM authenticates a user, it temporarily loads secret information (for example, entries from /etc/shadow) into process memory. An attacker with the ability to send crafted characters to the PAM-using process’s stdin can train the CPU’s branch predictor. During speculative execution, the attacker-controlled ROP gadget chain reads and encodes bits of the secret via cache side-effects. By measuring cache timing, the attacker reconstructs the password hash or other sensitive data. No special privileges are required beyond being able to interact with the target program’s input stream.

Conclusion

Organizations should update PAM to version 1.6.0 or later, and apply the SUSE AppArmor security patch (moderate severity) which tightens access controls on PAM executables. In addition, deploy standard Spectre mitigations (CPU microcode updates, retpolines) and monitor authentication logs for unusual input patterns. Users of any Linux distribution with PAM should install vendor-supplied updates immediately to eliminate CVE-2024-10041 risk.

Watch the full video on YouTube: CVE-2024-10041

Remediation and exploitation details

This chain involves the following actors

  • Attacker: Malicious actor or researcher who exploits the vulnerability
  • System Administrator: Maintains and secures the Linux authentication environment

This following systems are involved

  • Pluggable Authentication Modules (Provide a modular framework for user authentication in Linux): Loads credentials into memory during login and service authentication
  • Branch Predictor (Guide speculative execution in modern processors to speed up conditional code): Can be manipulated to execute unauthorized instruction sequences before branch resolution
  • Processor Cache (Store recently accessed data to reduce memory access latency): Used as a side channel to leak secret bytes via timing measurements

Attack entry point

  • Standard Input: The input stream accepted by a process, used to trigger the PAM authentication routine

Remediation actions

System Administrator
Install patched PAM packages from the vendor
Pluggable Authentication Modules
System Administrator
Apply the AppArmor memory protection updates
Linux kernel and security framework

Exploitation actions

Execute repeated valid authentication calls to create a predictable branch history

Attacker
Train the processor's branch predictor
Branch Predictor
Examples:
  • Loop pam_authenticate("user", "wrongpass") to establish a consistent branch outcome

Invoke the module with input patterns that align with the trained branch conditions

Attacker
Send crafted authentication input to PAM
Pluggable Authentication Modules
Examples:
  • Submit a padded username string whose length matches the prior training sequence

Exploit the misprediction window to speculatively execute a chain of short code sequences that read secret memory

Attacker
Trigger speculative return oriented programming chain
Pluggable Authentication Modules
Examples:
  • Redirect speculative execution through gadgets that load bytes from the /etc/shadow buffer

Measure access times to cache lines to reconstruct each byte of the secret

Attacker
Leak the secret data via side channel
Processor Cache
Examples:
  • Flush a cache line, execute the gadget, then reload and time the access to infer a bit value

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-10041
Description
A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.
Provider
redhat
CWE / problem types
Insecure Storage of Sensitive Information
Affected Software Versions
None:None:[{'status': 'affected', 'version': '1.6.0', 'lessThan': '1.6.0', 'versionType': 'semver'}],Red Hat:Red Hat Enterprise Linux 8:[{'version': '0:1.3.1-36.el8_10', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat Enterprise Linux 9:[{'version': '0:1.5.1-21.el9_5', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat Enterprise Linux 9:[{'version': '0:1.5.1-21.el9_5', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat Enterprise Linux 9.4 Extended Update Support:[{'version': '0:1.5.1-21.el9_4', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat Enterprise Linux 7:None
Date Published
2024-10-23T13:46:27.963Z
Last Updated
2025-01-02T14:21:38.425Z