ArchLinux: 201906-5: pam-u2f: information disclosure

    Date08 Jun 2019
    CategoryArchLinux
    483
    Posted ByLinuxSecurity Advisories
    The package pam-u2f before version 1.0.8-2 is vulnerable to information disclosure.
    Arch Linux Security Advisory ASA-201906-5
    =========================================
    
    Severity: Medium
    Date    : 2019-06-07
    CVE-ID  : CVE-2019-12209 CVE-2019-12210
    Package : pam-u2f
    Type    : information disclosure
    Remote  : No
    Link    : https://security.archlinux.org/AVG-973
    
    Summary
    =======
    
    The package pam-u2f before version 1.0.8-2 is vulnerable to information
    disclosure.
    
    Resolution
    ==========
    
    Upgrade to 1.0.8-2.
    
    # pacman -Syu "pam-u2f>=1.0.8-2"
    
    The problems have been fixed upstream in version 1.0.8.
    
    Workaround
    ==========
    
    A major mitigation for both issues is to remove the `debug` and
    `debug_file` options for `pam_u2f.so` in the PAM configuration.
    Furthermore enabling the `openasuser` option will mitigate the symlink
    attack in CVE-2019-12209.
    
    Description
    ===========
    
    - CVE-2019-12209 (information disclosure)
    
    A symbolic link attack has been found in pam-u2f before 1.8.0. The file
    `$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module.
    It can be a symlink pointing to an arbitrary file. The PAM module only
    rejects non-regular files and files owned by other users than root or
    the to-be-authenticated user. Even these checks are only made after
    open()'ing the file, which may already trigger certain logic in the
    kernel that is otherwise not reachable to regular users.
    
    If the PAM modules' `debug` option is also enabled then most of the
    content of the file is written either to stdout, stderr, syslog or to
    the defined debug file. Therefore this can pose an information leak to
    access e.g.  the contents of /etc/shadow, /root/.bash_history or
    similar sensitive files. Furthermore the symlink attack can be used to
    use other
    users' u2f_keys files in the authentication process.
    
    - CVE-2019-12210 (information disclosure)
    
    A file descriptor leak has been found in pam-u2f before 1.8.0. If the
    `debug` and `debug_file` options are set then the opened debug file
    will be inherited to the successfully authenticated user's process.
    Therefore this user can write further information to it, possibly
    filling up a privileged file system or manipulating the information
    found in the debug file.
    This can leak sensitive information and also, if written to, be used to
    fill the disk or plant misinformation.
    
    Impact
    ======
    
    An authenticated user can access sensitive information via a crafted
    symlink or a leaked file descriptor.
    
    References
    ==========
    
    https://seclists.org/oss-sec/2019/q2/149
    https://bugzilla.suse.com/show_bug.cgi?id=1087061
    https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3
    https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62
    https://security.archlinux.org/CVE-2019-12209
    https://security.archlinux.org/CVE-2019-12210
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"5","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":33.33,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"1","type":"x","order":"3","pct":11.11,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.