Security Advisory YSA-2021-03
Security Advisory YSA-2021-03 – Local PIN bypass in pam-u2f
Published Date: 2021-05-19
Tracking IDs: YSA-2021-03
CVE: CVE-2021-31924
Summary
A security update for pam-u2f resolves a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator.
If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed.
Affected software
Users relying on PIN authentication and using pam-u2f version 1.1.0 are potentially affected. See Issue details for more details based on use case.
Not affected devices
This does not affect any previous or current generation YubiKey Series, YubiKey FIPS Series, Security Key Series, or YubiHSM devices.
How to tell if you are affected
1. Check the version of pam-u2f on your system
If you have installed pam-u2f via apt or followed our Ubuntu Linux Login Guide, check the version of pam-u2f on your system by running:
$ apt list libpam-u2f
If you have installed from source, check the source NEWS file for version notes.
2. Check if PIN authentication is configured
To check if PIN authentication is being used, run:
$ grep -q +pin ~/.config/Yubico/u2f_keys && echo PIN is being used.
Customer Actions
Yubico recommends that affected customers upgrade to the latest version of pam-u2f.
Issue Details
Background
Due to the way PAM modules and encompassing applications interact, pam-u2f returns the execution flow to the application when it needs to prompt the user for a PIN. If the application allows the user to perform an action that causes a NULL PIN to be returned to pam-u2f, pam-u2f will drop the PIN requirement and proceed with a FIDO2 authentication without PIN. The user will be prompted for user presence verification, then be logged in without having specified a PIN, contrary to the user’s expectations.
pam-u2f works on macOS, Linux, and other UNIX-like operating systems. Official support is available for Linux. The difficulty to exploit these vulnerabilities varies depending on the type of application in use. An attacker would need to both cause a NULL PIN to be sent to pam-u2f and physically interact with the enrolled authenticator.
Aggregate Severity Rating
Yubico has rated this issue as Moderate. It has a CVSS score of 6.8
The attacker must cause an application to provide a NULL PIN to pam-u2f and still interact with the enrolled authenticator for the user presence verification.
Acknowledgements
On April 23, 2021 Kamil Jońca notified Yubico of this security issue. We thank Kamil for reporting this issue.
Timeline
April 23, 2021 | Issue reported in GitHub |
May 19, 2021 | Yubico releases advisory YSA-2021-03 |