ghsa-g8qw-mgjx-rwjr
Vulnerability from github
Published
2025-06-16 16:01
Modified
2025-06-17 19:26
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Summary
New authd users logging in via SSH are members of the root group
Details

Impact

When an authd user logs in via SSH for the first time (meaning they do not yet exist in the authd user database) and successfully authenticates via the configured broker, the user is considered a member of the root group in the context of that SSH session. This situation may allow the user to read and write files that are accessible by the root group, to which they should not have access. The user does not get root privileges or any capabilities beyond the access granted to the root group.

Preconditions under which this vulnerability affects a system * authd was installed via the PPA. * An OAuth 2.0 application was registered in Microsoft Entra ID or Google IAM, and the respective authd broker was installed (authd-msentraid or authd-google) and configured. * sshd was configured to enable SSH access with authd, i.e.: UsePAM yes KbdInteractiveAuthentication yes * The username is allowed by the ssh_allowed_suffixes option in the broker configuriation. * The user is allowed by the allowed_users option in the broker configuration. * The user successfully authenticates via the authd broker (Entra ID or Google IAM). * The user did not log in locally before.

Patches

Fixed by https://github.com/ubuntu/authd/commit/619ce8e55953b970f1765ddaad565081538151ab

Workarounds

Configure the SSH server to not allow authenticating via authd, for example by setting UsePAM no or KbdInteractiveAuthentication no in the sshd_config (see https://documentation.ubuntu.com/authd/stable/howto/login-ssh/#ssh-configuration).

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ubuntu/authd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-5689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-16T16:01:10Z",
    "nvd_published_at": "2025-06-16T12:15:19Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen an authd user logs in via SSH for the first time (meaning they do not yet exist in the authd user database) and successfully authenticates via the configured broker, the user is considered a member of the root group in the context of that SSH session. This situation may allow the user to read and write files that are accessible by the root group, to which they should not have access. The user does not get root privileges or any capabilities beyond the access granted to the root group.\n\n**Preconditions under which this vulnerability affects a system**\n* authd was [installed via the PPA](https://documentation.ubuntu.com/authd/latest/howto/install-authd/#install-authd).\n* An OAuth 2.0 application was registered in Microsoft Entra ID or Google IAM, and the respective authd broker was installed ([authd-msentraid](https://snapcraft.io/authd-msentraid) or [authd-google](https://snapcraft.io/authd-google)) and [configured](https://documentation.ubuntu.com/authd/latest/howto/configure-authd/#broker-configuration).\n* sshd was [configured to enable SSH](https://documentation.ubuntu.com/authd/latest/howto/login-ssh/) access with authd, i.e.:\n  ```\n  UsePAM yes\n  KbdInteractiveAuthentication yes\n  ```\n* The username is allowed by the `ssh_allowed_suffixes` option in the [broker configuriation](https://documentation.ubuntu.com/authd/latest/howto/login-ssh/#broker-configuration).\n* The user is allowed by the [`allowed_users` option in the broker configuration](https://documentation.ubuntu.com/authd/latest/howto/configure-authd/#configure-allowed-users).\n* The user successfully authenticates via the authd broker (Entra ID or Google IAM).\n* The user did not log in locally before.\n\n### Patches\nFixed by https://github.com/ubuntu/authd/commit/619ce8e55953b970f1765ddaad565081538151ab\n\n### Workarounds\nConfigure the SSH server to not allow authenticating via authd, for example by setting `UsePAM no` or `KbdInteractiveAuthentication no` in the `sshd_config` (see https://documentation.ubuntu.com/authd/stable/howto/login-ssh/#ssh-configuration).",
  "id": "GHSA-g8qw-mgjx-rwjr",
  "modified": "2025-06-17T19:26:35Z",
  "published": "2025-06-16T16:01:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ubuntu/authd/security/advisories/GHSA-g8qw-mgjx-rwjr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5689"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ubuntu/authd/commit/619ce8e55953b970f1765ddaad565081538151ab"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ubuntu/authd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "New authd users logging in via SSH are members of the root group"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.