CVE-2021-31924 - OpenCVE

Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Fedoraproject	Fedora
Yubico	Pam-u2f

Configuration 1 [-]

cpe:2.3:a:yubico:pam-u2f:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

References

Link	Resource
https://developers.yubico.com/pam-u2f/	Product Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRBVOZEMVO72FV4Z5O4GBGSURXHWRGD3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IL3I5AKECLMK4ADLLACLOEF7H5CMNDP2/
https://security.gentoo.org/glsa/202208-11	Third Party Advisory
https://www.yubico.com/support/security-advisories/ysa-2021-03	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-05-25T23:40:11

Updated: 2022-08-10T05:06:22

Reserved: 2021-04-30T00:00:00

Link: CVE-2021-31924

JSON object: View

NVD Information

Status : Modified

Published: 2021-05-26T00:15:08.490

Modified: 2023-11-07T03:35:10.790

Link: CVE-2021-31924

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-10T05:06:22", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.yubico.com/support/security-advisories/ysa-2021-03"}, {"tags": ["x_refsource_MISC"], "url": "https://developers.yubico.com/pam-u2f/"}, {"name": "FEDORA-2021-a52d48b1c2", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRBVOZEMVO72FV4Z5O4GBGSURXHWRGD3/"}, {"name": "FEDORA-2021-724f4733e9", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IL3I5AKECLMK4ADLLACLOEF7H5CMNDP2/"}, {"name": "GLSA-202208-11", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-11"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-31924", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.yubico.com/support/security-advisories/ysa-2021-03", "refsource": "MISC", "url": "https://www.yubico.com/support/security-advisories/ysa-2021-03"}, {"name": "https://developers.yubico.com/pam-u2f/", "refsource": "MISC", "url": "https://developers.yubico.com/pam-u2f/"}, {"name": "FEDORA-2021-a52d48b1c2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRBVOZEMVO72FV4Z5O4GBGSURXHWRGD3/"}, {"name": "FEDORA-2021-724f4733e9", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IL3I5AKECLMK4ADLLACLOEF7H5CMNDP2/"}, {"name": "GLSA-202208-11", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-11"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-31924", "datePublished": "2021-05-25T23:40:11", "dateReserved": "2021-04-30T00:00:00", "dateUpdated": "2022-08-10T05:06:22", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yubico:pam-u2f:*:*:*:*:*:*:*:*", "matchCriteriaId": "93820EAC-FFD1-4D1D-987F-69AB121027A6", "versionEndExcluding": "1.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed."}, {"lang": "es", "value": "Yubico pam-u2f antes de la versi\u00f3n 1.1.1 tiene un problema l\u00f3gico que, dependiendo de la configuraci\u00f3n de pam-u2f y de la aplicaci\u00f3n utilizada, podr\u00eda conducir a una derivaci\u00f3n local del PIN. Este problema no permite eludir la presencia del usuario (tacto) o la verificaci\u00f3n de la firma criptogr\u00e1fica, por lo que un atacante todav\u00eda tendr\u00eda que poseer f\u00edsicamente e interactuar con la YubiKey u otro autenticador inscrito. Si pam-u2f est\u00e1 configurado para requerir la autenticaci\u00f3n con PIN, y la aplicaci\u00f3n que utiliza pam-u2f permite al usuario enviar NULL como PIN, pam-u2f intentar\u00e1 realizar una autenticaci\u00f3n FIDO2 sin PIN. Si esta autenticaci\u00f3n tiene \u00e9xito, el requisito del PIN se omite"}], "id": "CVE-2021-31924", "lastModified": "2023-11-07T03:35:10.790", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-26T00:15:08.490", "references": [{"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://developers.yubico.com/pam-u2f/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRBVOZEMVO72FV4Z5O4GBGSURXHWRGD3/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IL3I5AKECLMK4ADLLACLOEF7H5CMNDP2/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-11"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.yubico.com/support/security-advisories/ysa-2021-03"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}