CVE-2024-22365 is a vulnerability in the Linux Pluggable Authentication Modules (PAM) system, specifically affecting versions prior to 1.6.0. Linux PAM is a critical component used by many Linux distributions to manage authentication tasks. The vulnerability arises because the openat system call used in the protect_dir function does not include the O_DIRECTORY flag. This omission allows an attacker to exploit the behavior of mkfifo (named pipe) to cause a denial of service (DoS) by blocking the login process. Essentially, an attacker with limited privileges can create a named pipe in a location where PAM expects a directory, causing the openat call to block indefinitely. This results in the login process hanging or being blocked, effectively denying legitimate users access to the system. The vulnerability is classified under CWE-664 (Improper Control of a Resource Through its Lifetime), indicating a failure to properly manage resource states. The CVSS v3.1 base score is 5.5 (medium severity), reflecting that the attack vector is local (AV:L), requires low attack complexity (AC:L), requires privileges (PR:L), no user interaction (UI:N), and impacts availability (A:H) without affecting confidentiality or integrity. No known exploits are currently reported in the wild, and no patches are linked in the provided data, but the fix would involve ensuring the openat call uses the O_DIRECTORY flag to prevent misuse of named pipes in place of directories.

For European organizations, this vulnerability poses a risk primarily to the availability of Linux-based authentication services. Since Linux PAM is widely used across many Linux distributions common in enterprise environments, including servers, workstations, and embedded systems, exploitation could disrupt user logins and system access. This could lead to operational downtime, impacting business continuity, especially in sectors relying heavily on Linux infrastructure such as finance, telecommunications, government, and critical infrastructure. Although the vulnerability does not compromise confidentiality or integrity, the denial of service could be leveraged as part of a larger attack to cause disruption or delay response actions. The requirement for local privileges limits remote exploitation, but insider threats or attackers with limited access could still leverage this vulnerability. Given the reliance on Linux PAM for authentication, organizations with strict access controls and high availability requirements should consider this a significant operational risk.

To mitigate this vulnerability, European organizations should: 1) Identify and inventory all Linux systems using PAM versions prior to 1.6.0. 2) Apply patches or upgrade to Linux PAM version 1.6.0 or later where the openat call includes the O_DIRECTORY flag, preventing misuse of named pipes. 3) Restrict local user privileges to prevent untrusted users from creating named pipes or manipulating authentication directories. 4) Implement monitoring for unusual filesystem objects such as named pipes in authentication-related directories to detect potential exploitation attempts. 5) Harden system access by enforcing strict user permissions and using mandatory access controls (e.g., SELinux, AppArmor) to limit the ability to create or manipulate filesystem objects in sensitive locations. 6) Incorporate this vulnerability into incident response plans to quickly identify and remediate any denial of service attempts related to PAM. 7) Regularly audit authentication logs and system behavior for anomalies indicating blocked or hanging login processes.