CVE-2024-47191: 
CBL Mariner vulnerability analysis and mitigation

A local root privilege escalation vulnerability (CVE-2024-47191) was discovered in the oath-toolkit versions 2.6.7 through 2.6.11. The vulnerability exists in the pam_oath.so PAM module when handling usersfile access in the context of PAM code running as root. The issue was introduced in version 2.6.7 (released on 2021-05-01) with the addition of ${HOME} indirection variable support in the usersfile parameter (OATH Security, SUSE Advisory).

The vulnerability stems from unsafe file operations performed by the PAM module in users' home directories while running with root privileges. The PAM module invokes the oathauthenticateusersfile() function in liboath/usersfile.c, which naively follows symlinks and performs file operations without dropping privileges. The issue involves multiple unsafe operations including opening files via fopen(), creating lock files, changing file ownership via fchown(), and file renaming - all while maintaining root privileges (SUSE Advisory, OSS Security).

An unprivileged user can exploit this vulnerability to gain root privileges on affected systems. By creating a symbolic link from their home directory to sensitive system files (such as /etc/shadow), an attacker can cause these files to be overwritten and have their ownership changed to the attacking user during the authentication process. This allows complete system compromise without requiring any race conditions or pathname guessing (SUSE Advisory).

The vulnerability has been fixed in oath-toolkit version 2.6.12. The fix includes using fopen(wx) to prevent symlink attacks and implementing proper privilege dropping via seteuid()/setegid(). For systems unable to upgrade, SUSE has developed an alternative patch that implements additional security measures including safe path traversal using *at family system calls and proper privilege dropping. Systems using the default configuration with usersfile=/etc/users.oath are not vulnerable (OATH Security, SUSE Advisory).