Skip to main content

CVE-2025-5689: Vulnerability in Canonical authd

High
VulnerabilityCVE-2025-5689cvecve-2025-5689
Published: Mon Jun 16 2025 (06/16/2025, 11:37:12 UTC)
Source: CVE Database V5
Vendor/Project: Canonical
Product: authd

Description

A flaw was found in the temporary user record that authd uses in the pre-auth NSS. As a result, a user login for the first time will be considered to be part of the root group in the context of that SSH session.

AI-Powered Analysis

AILast updated: 06/16/2025, 12:05:09 UTC

Technical Analysis

CVE-2025-5689 is a vulnerability identified in Canonical's authd component, specifically related to its handling of temporary user records within the pre-authentication Name Service Switch (NSS) mechanism. The flaw causes the system to incorrectly assign a newly logging-in user to the root group during their initial SSH session. This means that when a user logs in for the first time, the session context mistakenly grants them root group privileges, which can lead to unauthorized access to sensitive system resources and elevated permissions. The vulnerability affects version 0.0.0 of authd, as reported on June 16, 2025. The CVSS 3.1 base score is 6.4, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) shows that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts confidentiality and integrity with a scope change, but does not affect availability. There are no known exploits in the wild at the time of publication, and no patches or mitigations have been explicitly linked yet. The vulnerability arises from improper privilege assignment during the authentication process, which could allow an attacker with valid credentials to escalate privileges within the SSH session context, potentially leading to unauthorized access to critical system functions or data.

Potential Impact

For European organizations, this vulnerability poses a significant risk particularly to those relying on Canonical's authd component within their SSH authentication infrastructure. Since SSH is widely used for remote administration and access to servers, the incorrect assignment of root group privileges during initial login could allow attackers or malicious insiders to gain elevated access rights, compromising system confidentiality and integrity. This could lead to unauthorized data access, modification, or lateral movement within networks. Organizations in sectors such as finance, government, critical infrastructure, and technology that depend on secure SSH access are especially vulnerable. The scope change indicated by the CVSS vector means that the vulnerability can affect resources beyond the initially compromised component, potentially impacting multiple systems if the attacker leverages the elevated privileges. Although no known exploits exist yet, the low complexity and network accessibility make it likely that attackers will develop exploits, increasing risk over time. The vulnerability does not affect availability directly but could indirectly cause service disruptions if exploited to modify system configurations or escalate privileges maliciously.

Mitigation Recommendations

1. Immediate mitigation should focus on restricting first-time SSH logins or monitoring them closely for anomalous privilege escalations. 2. Implement strict access controls and multi-factor authentication (MFA) to reduce the risk of unauthorized credential use. 3. Employ session monitoring and logging to detect unusual group membership or privilege changes during SSH sessions, particularly for new users. 4. Use network segmentation to limit the impact of any compromised session with elevated privileges. 5. Until a patch is available, consider disabling or restricting the use of the affected authd component if feasible, or use alternative authentication mechanisms. 6. Regularly audit user group memberships and SSH session privileges to identify and remediate any unauthorized root group assignments. 7. Stay updated with Canonical’s advisories for patches or official workarounds and apply them promptly once released. 8. Conduct penetration testing focused on SSH authentication flows to identify potential exploitation paths related to this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
canonical
Date Reserved
2025-06-04T17:12:16.505Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 685004c3a8c9212743840d34

Added to database: 6/16/2025, 11:49:23 AM

Last enriched: 6/16/2025, 12:05:09 PM

Last updated: 8/13/2025, 2:03:23 AM

Views: 19

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats