CVE-2021-31924 Information

Description

Yubico pam-u2f before 1.1.1 has a logic issue that depending on the pam-u2f configuration and the application used could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication and the application using pam-u2f allows the user to submit NULL as the PIN pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful the PIN requirement is bypassed.

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://www.yubico.com/support/security-advisories/ysa-2021-03 https://developers.yubico.com/pam-u2f/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRBVOZEMVO72FV4Z5O4GBGSURXHWRGD3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IL3I5AKECLMK4ADLLACLOEF7H5CMNDP2/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

6.8