CVE-2024-37408 identifies a vulnerability in the fprintd fingerprint authentication daemon, specifically in the PAM module pam_fprintd.so used up to version 1.94.3. The core issue is the absence of a security attention mechanism in pam_fprintd.so, which is critical for ensuring that fingerprint authentication requests are deliberate and properly verified by the user interface. Without this mechanism, the module configured as "auth sufficient" in PAM can authorize unexpected or unintended actions, particularly when used with sudo, potentially allowing privilege escalation or unauthorized command execution. The vulnerability falls under CWE-287 (Improper Authentication). Exploitation requires local access with limited privileges and some user interaction, such as triggering sudo commands. The supplier disputes the vulnerability, stating that the resolution involves modifying PAM configurations to restrict pam_fprintd.so usage to front-ends that implement proper attention mechanisms, rather than changing the software itself. No patches or fixes have been published yet, and no known exploits are currently active in the wild. The CVSS v3.1 score is 7.3, indicating high severity due to high impact on confidentiality, integrity, and availability, combined with low attack complexity and limited privileges required. Organizations relying on fprintd for biometric authentication in Linux environments should carefully audit PAM configurations and consider alternative authentication methods or additional controls until a definitive fix is available.

The vulnerability can lead to unauthorized privilege escalation on affected Linux systems using fprintd for fingerprint authentication with sudo. Attackers with limited local access can potentially bypass intended authentication controls, gaining elevated privileges to execute arbitrary commands. This compromises confidentiality by exposing sensitive data, integrity by allowing unauthorized changes, and availability by enabling disruptive actions. The impact is significant in environments where biometric authentication is trusted for sudo access, including enterprise servers, developer workstations, and critical infrastructure systems. The lack of a security attention mechanism means users might unknowingly authorize malicious actions, increasing the risk of insider threats or local attacker exploitation. Although no public exploits are known, the vulnerability's presence in widely used Linux PAM modules and sudo configurations means it could be leveraged in targeted attacks or lateral movement scenarios. Organizations with strict access controls relying on fingerprint authentication are particularly vulnerable, potentially affecting operational security and compliance.

To mitigate this vulnerability, organizations should immediately audit PAM configurations involving pam_fprintd.so, especially those using "auth sufficient" for sudo authentication. Restrict pam_fprintd.so usage to front-end applications that implement proper security attention mechanisms to ensure deliberate user authentication. Consider temporarily disabling fingerprint authentication for sudo or replacing it with more secure multi-factor authentication methods until a patch or official fix is released. Monitor local user activities and sudo logs for unusual authentication patterns or unexpected privilege escalations. Implement strict local access controls to limit potential attackers from gaining initial footholds. Stay informed about updates from the fprintd maintainers and promptly apply patches once available. Additionally, educate users about the risks of unintended authorizations when using biometric authentication. For critical systems, consider deploying host-based intrusion detection systems (HIDS) to detect anomalous sudo usage. Finally, review and harden overall PAM configurations to minimize exposure to similar authentication bypass issues.