CVE-2024-47191 affects the pam_oath.so module within oath-toolkit versions 2.6.7 through 2.6.11, prior to version 2.6.12. The vulnerability arises because the PAM (Pluggable Authentication Module) code, which runs with root privileges, improperly handles access to the usersfile. Specifically, the issue involves the use of the fchown system call on files that may be symlinks. This mishandling allows an attacker with limited privileges to exploit symbolic link (symlink) race conditions or path traversal attacks to change ownership of arbitrary files to root. Since PAM modules operate with elevated privileges during authentication, this flaw enables local users with some privileges to escalate their rights to root. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), indicating a directory traversal or symlink attack vector. The CVSS 3.1 base score is 7.1, reflecting a high severity with local attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity. No known exploits have been reported in the wild, and no official patches have been linked yet, though the issue is fixed in oath-toolkit 2.6.12. This vulnerability is critical for systems relying on oath-toolkit for authentication, especially those using pam_oath.so for two-factor authentication or other security mechanisms.

The primary impact of CVE-2024-47191 is local privilege escalation, allowing an attacker with limited access to gain root privileges on affected systems. This can lead to full system compromise, unauthorized access to sensitive data, and the ability to modify or bypass security controls. Since PAM modules are integral to authentication, exploitation can undermine the entire system's security posture. Organizations relying on oath-toolkit for authentication, especially in Linux environments, face risks of confidentiality breaches and integrity violations. Although availability is not directly impacted, the elevated privileges gained can be used to disrupt services or install persistent backdoors. The vulnerability poses a significant threat to servers, critical infrastructure, and any environment where oath-toolkit is deployed, potentially enabling attackers to move laterally or escalate privileges after initial access. The lack of known exploits in the wild suggests limited current exploitation, but the ease of exploitation (low complexity) and high impact make it a serious concern.

To mitigate CVE-2024-47191, organizations should immediately upgrade oath-toolkit to version 2.6.12 or later, where the vulnerability is fixed. In environments where immediate upgrade is not feasible, administrators should audit and restrict local user privileges to minimize the risk of exploitation. Implement strict file system permissions and monitor for suspicious symlink creation or unauthorized file ownership changes, especially in directories used by pam_oath.so. Employ file integrity monitoring to detect unexpected changes to authentication-related files. Additionally, consider isolating or sandboxing authentication modules where possible to limit the impact of privilege escalation. Regularly review PAM configurations to ensure minimal exposure and avoid unnecessary use of vulnerable modules. Finally, maintain comprehensive logging and alerting on authentication events and privilege escalations to detect potential exploitation attempts early.