Login Sign Up

CVE-2024-37408

7.3 HIGH
Authentication Bypass

📋 TL;DR

CVE-2024-37408 is an authentication bypass vulnerability in fprintd fingerprint authentication software. When configured with 'auth sufficient pam_fprintd.so' for sudo, it lacks a security attention mechanism, allowing unauthorized users to potentially execute privileged commands without proper fingerprint verification. This affects systems using fprintd with PAM configurations that rely on fingerprint authentication for sudo access.

💻 Affected Systems

Products:
  • fprintd
Versions: Through version 1.94.3
Operating Systems: Linux distributions using fprintd with PAM integration
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when configured with 'auth sufficient pam_fprintd.so' in PAM configuration for sudo. The supplier disputes this is a software vulnerability, stating it's a configuration issue.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized local users gain full root privileges on affected systems, enabling complete system compromise, data theft, and persistence establishment.

🟠

Likely Case

Local attackers bypass fingerprint authentication to execute sudo commands with elevated privileges they shouldn't have access to.

🟢

If Mitigated

With proper PAM configuration restrictions, the vulnerability impact is limited as fingerprint authentication would only be allowed with proper attention mechanisms.

🌐 Internet-Facing: LOW - This is a local authentication bypass requiring physical or local access to the system.
🏢 Internal Only: HIGH - Internal users with local access can exploit this to gain unauthorized elevated privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access and knowledge of the vulnerable PAM configuration. Proof of concept details are publicly available in the OSS security mailing list references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://gitlab.freedesktop.org/libfprint/fprintd/-/releases

Restart Required: No

Instructions:

No software patch available. The vendor considers this a configuration issue. Update to latest fprintd version and modify PAM configuration as workaround.

🔧 Temporary Workarounds

Modify PAM Configuration

linux

Restrict pam_fprintd.so to only work with front-ends that implement proper security attention mechanisms

Edit /etc/pam.d/sudo or relevant PAM configuration files
Remove or modify 'auth sufficient pam_fprintd.so' lines
Consider using 'auth required' instead of 'auth sufficient' for pam_fprintd.so

Disable Fingerprint Authentication for Sudo

linux

Temporarily disable fingerprint authentication for sudo until proper configuration can be implemented

Comment out 'auth sufficient pam_fprintd.so' lines in PAM configuration files with #

🧯 If You Can't Patch

  • Implement strict access controls and monitor sudo usage on affected systems
  • Use multi-factor authentication for sudo instead of relying solely on fingerprint authentication

🔍 How to Verify

Check if Vulnerable:

Check PAM configuration files for 'auth sufficient pam_fprintd.so' entries, particularly in /etc/pam.d/sudo

Check Version:

fprintd --version or dpkg -l fprintd or rpm -q fprintd

Verify Fix Applied:

Verify that pam_fprintd.so is either removed from sudo PAM configuration or properly restricted to secure front-ends

📡 Detection & Monitoring

Log Indicators:

  • Unexpected sudo authentications via fingerprint
  • Multiple failed fingerprint attempts followed by successful sudo

Network Indicators:

  • N/A - Local authentication bypass

SIEM Query:

sudo: pam_fprintd authentication events without corresponding security attention mechanism logs

📊 Metadata

CVE ID: CVE-2024-37408
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: June 8, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37408, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)