• Security Advisory YSA-2025-01

    Security Advisory YSA-2025-01 – Partial Authentication Bypass in pam-u2f Software Package

    Published Date: 2025-01-14
    Tracking IDs: YSA-2025-01
    CVE: CVE-2025-23013
    CVSS Severity: 7.3

    Summary

    Yubico’s open source pam-u2f software package implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue which allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to know the user’s password. To resolve this, Yubico recommends customers upgrade to the latest version of pam-u2f.

    Not Affected Devices

    No Yubico hardware is affected. This does not affect any previous or current generation YubiKey Series, YubiKey FIPS Series, Security Key Series, YubiHSM, or YubiHSM FIPS devices.

    Affected Software

    The pam-u2f package with a version prior to 1.3.1 is affected. See Issue Details for more details based on use case.

    How to Tell if You Are Affected

    If you have installed pam-u2f via apt or followed our Ubuntu Linux Login Guide, check the version of pam-u2f on your system by running the command “apt list libpam-u2f”.

    If you have installed from source, check the source NEWS file for version notes.

    Customer Actions

    Yubico recommends that affected customers upgrade to the latest version of pam-u2f either by directly downloading from GitHub or getting the latest update via Yubico PPA.


    If using libpam, an alternative solution could be to disable the nouserok option and mark “ignore” control values with the action “bad” for all references of pam-u2f in the PAM stack ([success=ok default=bad]). OpenPAM implementation does not support this flexibility.

    Issue Details

    The implementation of the pam_sm_authenticate() function returns PAM_IGNORE in several cases when an internal error occurs, such as:

    • memory cannot be allocated 
    • the module cannot change privileges 
    • the authfile is not present

    When a module returns PAM_IGNORE, it does not contribute to the final authentication decision performed by PAM. As a result, either a 2nd or primary authentication factor (depending on the use case) is no longer verified.

    In addition, if the nouserok option is enabled, pam-u2f also returns PAM_SUCCESS if the pam-u2f file is either not found or corrupted.

    Several scenarios may be differently impacted depending on the configuration of pam-u2f and other PAM modules. A key differentiator between scenarios is the location of the authfile and some examples of authfile differences are included below. The path for the authfile is configured via an argument to pam-u2f in the PAM stack stored under /etc/pam or /etc/pam.d. The argument itself is called authfile (e.g. auth required pam_u2f.so authfile=/etc/u2f_mappings cue). The expand argument should also be verified because it influences how the authfile path is interpreted. 

    Some example scenarios for management of the authfile and associated CVSS score for this advisory are listed below:

    • User managed authfile (i.e. stored in the user home directory), with pam-u2f used as a single factor authentication method and with the nouserok option enabled. In this scenario, a bad actor  may remove or corrupt the authfile and thus force the pam-u2f module to return PAM_SUCCESS. This would lead to local privilege escalation if the user is authorized to sudo. The CVSS calculation results in a score of 7.3.
    • Centrally managed authfile (i.e. file cannot be modified without elevated privileges) and pam-u2f used as a second factor authentication method in combination with a user password. In this scenario, a bad actor may attempt to memory-starve the system by allocating large amounts of memory, and triggering a memory allocation error within pam-u2f. In this scenario, the second factor would not be verified anymore during an authentication event. The CVSS calculation results in a score of 7.1.
    • pam-u2f is used as a single factor authentication method, and combined only with other PAM modules which do not perform authentication but may return PAM_SUCCESS (e.g. pam_shells or pam_faillock). In this scenario, the bad actor forcing a PAM_IGNORE response from pam-u2f would result in no verification being performed as part of the authentication event. This would lead to local privilege escalation if e.g. the user has access to sudo. The CVSS calculation results in a score of 7.3.

    Severity

    Yubico has rated this issue as High. It has a CVSS score of 7.3.

    Acknowledgements

    On November 11, 2024, Matthias Gerstner from the SUSE security team notified Yubico of this security issue. We thank Matthias Gerstner and SUSE for reporting it and working with us under coordinated vulnerability disclosure.

    Timeline

    2024-11-20Finder informs Yubico of the issue
    2025-01-14Yubico releases advisory YSA-2025-01