CVE-2024-9312: Ubuntu Authd Flaw Allows User ID Spoofing
Canonical has recently issued a security advisory addressing a vulnerability (CVE-2024-9312, CVSS 7.6) in Authd, an authentication daemon used for managing identity and access on Ubuntu machines worldwide. The vulnerability, which impacts Authd versions through 0.3.6, could allow attackers to spoof user IDs and gain unauthorized access to target accounts.
Authd is designed to facilitate secure authentication for cloud-based identity providers, such as MS Entra ID, with several other identity providers currently in development. However, researchers have identified that Authd does not sufficiently randomize user IDs, leading to potential user ID collisions. As the advisory explains, “Authd assigns user IDs as a pure function of the username…The set of UIDs is much too small for pseudo-random assignment to work,” making the system vulnerable to collisions and exploitation.
An attacker with local access to an affected machine could register multiple user accounts with colliding UIDs or a username that matches a target account’s UID. This would allow the attacker to gain the same privileges as the legitimate user. The advisory further warns that attackers could exploit these collisions to “manipulate resources exposed on [a different machine] as if they were the target user”, posing a serious threat to both desktop and server environments.
The vulnerability’s root cause lies in how Authd generates user IDs. The advisory notes that, due to insufficient randomization in the GenerateID function, adversaries can easily predict or engineer username collisions. As Authd relies on caching to check the uniqueness of user IDs, there are several scenarios where an attacker could bypass these checks. For instance, the advisory outlines that an attacker could “engineer a situation where the system administrator purges /var/cache, allowing the attacker to bypass existing UID checks.”
Moreover, the attack could be executed entirely offline, allowing adversaries to “compute a preimage (a username which yields the same UID)” without triggering system rate limits. The advisory estimates that the computational cost of this attack could be as low as 10 minutes on a single-core system, making it a highly feasible attack vector for cybercriminals.
The impact of this vulnerability is significant, as it allows attackers to impersonate users on systems where Authd is deployed. In addition to gaining unauthorized access, attackers could manipulate critical files and settings, such as “~/.ssh/authorized_keys or ~/.config,” which could lead to further exploitation of shared network resources. The advisory also highlights that, while certain network protocols like NFSv4 may offer protection, these defenses are not enabled by default in most Authd deployments, increasing the risk for affected systems.
Canonical has released version 0.3.6 of Authd, which addresses CVE-2024-9312. The advisory recommends updating to the patched version immediately to mitigate the risk of exploitation. As part of the remediation, the advisory suggests that identity providers should issue guaranteed-unique user IDs to prevent collisions, a feature supported by many OpenID Connect (OIDC) providers like LDAP and Active Directory.
If organizations cannot rely on external identity providers to generate unique IDs, further architectural changes to Authd would be necessary to prevent future attacks. These changes include managing mutable state across multiple machines to ensure that user IDs are synchronized correctly, especially for shared network resources.
