EUVD-2025-18385
GHSA-g8qw-mgjx-rwjr
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
A flaw was found in the temporary user record that authd uses in the pre-auth NSS. As a result, a user login for the first time will be considered to be part of the root group in the context of that SSH session.
AnalysisAI
Privilege escalation flaw in authd's temporary user record handling during pre-authentication NSS operations that causes first-time SSH login users to be incorrectly assigned root group membership within their session context. This allows authenticated users (PR:L) to gain elevated group privileges over the network (AV:N) with low complexity, affecting system confidentiality (C:H) and integrity (I:L). The vulnerability has a high CVSS score of 8.5, though real-world exploitation requires valid login credentials and depends on authentication infrastructure specifics.
Technical ContextAI
The vulnerability exists in authd (authentication daemon) and its interaction with NSS (Name Service Switch) during the pre-authentication phase. Specifically, when authd creates a temporary user record for first-time SSH authentication, it incorrectly initializes group memberships to include the root group (GID 0). This is a CWE-269 (Improper Access Control / Unintended Access) issue where the access control logic fails to properly restrict group membership assignment. The flaw manifests in the NSS layer responsible for user and group lookups during SSH authentication, meaning the vulnerability affects any system using authd with SSH that relies on dynamic user provisioning or first-time user authentication scenarios. The root cause appears to be insufficient validation or initialization of group context in the temporary user record structure before it is made available to the authentication context.
RemediationAI
Immediate remediation steps: (1) Patch authd to the latest patched version from your distribution vendor (check RedHat Security Advisories, Debian Security Tracker, or your vendor's bulletin for CVE-2025-5689). (2) Until patching, implement workarounds by restricting SSH access to known users only (disable password authentication if possible, use key-based auth with restricted authorized_keys). (3) Review and restrict sudo/group membership policies to minimize blast radius if a first-time user gains elevated group access. (4) Monitor authd logs and SSH authentication logs for first-time user logins and unexpected group assignments. (5) Consider disabling first-time user auto-provisioning features if feasible. (6) Apply the patch through standard distribution update channels (yum update authd, apt-get update && apt-get upgrade authd, or equivalent). Verify patch application by checking authd version post-update and testing first-time user authentication in a controlled environment.
More from same product – last 7 days
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect
Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic
NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th
NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today