EUVD-2025-18385
GHSA-g8qw-mgjx-rwjr
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
4Description
A flaw was found in the temporary user record that authd uses in the pre-auth NSS. As a result, a user login for the first time will be considered to be part of the root group in the context of that SSH session.
Analysis
Privilege escalation flaw in authd's temporary user record handling during pre-authentication NSS operations that causes first-time SSH login users to be incorrectly assigned root group membership within their session context. This allows authenticated users (PR:L) to gain elevated group privileges over the network (AV:N) with low complexity, affecting system confidentiality (C:H) and integrity (I:L). The vulnerability has a high CVSS score of 8.5, though real-world exploitation requires valid login credentials and depends on authentication infrastructure specifics.
Technical Context
The vulnerability exists in authd (authentication daemon) and its interaction with NSS (Name Service Switch) during the pre-authentication phase. Specifically, when authd creates a temporary user record for first-time SSH authentication, it incorrectly initializes group memberships to include the root group (GID 0). This is a CWE-269 (Improper Access Control / Unintended Access) issue where the access control logic fails to properly restrict group membership assignment. The flaw manifests in the NSS layer responsible for user and group lookups during SSH authentication, meaning the vulnerability affects any system using authd with SSH that relies on dynamic user provisioning or first-time user authentication scenarios. The root cause appears to be insufficient validation or initialization of group context in the temporary user record structure before it is made available to the authentication context.
Affected Products
Based on the description, the vulnerability affects: authd daemon (authentication daemon implementation) and systems running SSH with NSS-based user/group resolution. Specific affected products likely include: Linux distributions and Unix variants using authd for authentication (exact CPE strings would typically be: cpe:2.3:a:*:authd:*:*:*:*:*:*:*:* or similar). RedHat/CentOS/Fedora systems, Debian/Ubuntu systems, and other distributions with authd implementations are potentially affected. Without explicit vendor advisory links or CVE references provided, the specific version ranges cannot be definitively stated, but first-time user authentication implementations from 2024-2025 should be assumed vulnerable until patched. Affected configurations include: SSH servers using PAM/NSS for authentication, systems with dynamic user provisioning on first login, and environments where authd manages temporary user records.
Remediation
Immediate remediation steps: (1) Patch authd to the latest patched version from your distribution vendor (check RedHat Security Advisories, Debian Security Tracker, or your vendor's bulletin for CVE-2025-5689). (2) Until patching, implement workarounds by restricting SSH access to known users only (disable password authentication if possible, use key-based auth with restricted authorized_keys). (3) Review and restrict sudo/group membership policies to minimize blast radius if a first-time user gains elevated group access. (4) Monitor authd logs and SSH authentication logs for first-time user logins and unexpected group assignments. (5) Consider disabling first-time user auto-provisioning features if feasible. (6) Apply the patch through standard distribution update channels (yum update authd, apt-get update && apt-get upgrade authd, or equivalent). Verify patch application by checking authd version post-update and testing first-time user authentication in a controlled environment.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today