Multiple vulnerabilities in Yubico pam-u2f
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-12209 CVE-2019-12210 |
| CWE-ID | CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
pam-u2f Web applications / Other software |
| Vendor | Yubico |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU35855
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12209
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionspam-u2f: 1.0.7
External linkshttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html
http://www.openwall.com/lists/oss-security/2019/06/05/1
http://developers.yubico.com/pam-u2f/Release_Notes.html
http://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5FOR4ADC356JPCHAJI5UXZORLC3VNBPS/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCGU6UQLI3ZTW3UYCTMQW7VDL5M4LCWR/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU35856
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12210
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descriptor being inherited into the child process; the child process can then read from and write to it. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation.
MitigationInstall update from vendor's website.
Vulnerable software versionspam-u2f: 1.0.7
External linkshttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html
http://www.openwall.com/lists/oss-security/2019/06/05/1
http://developers.yubico.com/pam-u2f/Release_Notes.html
http://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
