Arch Linux Security Advisory ASA-201906-5
========================================
Severity: Medium
Date    : 2019-06-07
CVE-ID  : CVE-2019-12209 CVE-2019-12210
Package : pam-u2f
Type    : information disclosure
Remote  : No
Link    : https://security.archlinux.org/AVG-973

Summary
======
The package pam-u2f before version 1.0.8-2 is vulnerable to information
disclosure.

Resolution
=========
Upgrade to 1.0.8-2.

# pacman -Syu "pam-u2f>=1.0.8-2"

The problems have been fixed upstream in version 1.0.8.

Workaround
=========
A major mitigation for both issues is to remove the `debug` and
`debug_file` options for `pam_u2f.so` in the PAM configuration.
Furthermore enabling the `openasuser` option will mitigate the symlink
attack in CVE-2019-12209.

Description
==========
- CVE-2019-12209 (information disclosure)

A symbolic link attack has been found in pam-u2f before 1.8.0. The file
`$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module.
It can be a symlink pointing to an arbitrary file. The PAM module only
rejects non-regular files and files owned by other users than root or
the to-be-authenticated user. Even these checks are only made after
open()'ing the file, which may already trigger certain logic in the
kernel that is otherwise not reachable to regular users.

If the PAM modules' `debug` option is also enabled then most of the
content of the file is written either to stdout, stderr, syslog or to
the defined debug file. Therefore this can pose an information leak to
access e.g.  the contents of /etc/shadow, /root/.bash_history or
similar sensitive files. Furthermore the symlink attack can be used to
use other
users' u2f_keys files in the authentication process.

- CVE-2019-12210 (information disclosure)

A file descriptor leak has been found in pam-u2f before 1.8.0. If the
`debug` and `debug_file` options are set then the opened debug file
will be inherited to the successfully authenticated user's process.
Therefore this user can write further information to it, possibly
filling up a privileged file system or manipulating the information
found in the debug file.
This can leak sensitive information and also, if written to, be used to
fill the disk or plant misinformation.

Impact
=====
An authenticated user can access sensitive information via a crafted
symlink or a leaked file descriptor.

References
=========
https://seclists.org/oss-sec/2019/q2/149
https://bugzilla.suse.com/show_bug.cgi?id=1087061
https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3
https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62
https://security.archlinux.org/CVE-2019-12209
https://security.archlinux.org/CVE-2019-12210

ArchLinux: 201906-5: pam-u2f: information disclosure

June 8, 2019

Summary

- CVE-2019-12209 (information disclosure) A symbolic link attack has been found in pam-u2f before 1.8.0. The file `$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module. It can be a symlink pointing to an arbitrary file. The PAM module only rejects non-regular files and files owned by other users than root or the to-be-authenticated user. Even these checks are only made after open()'ing the file, which may already trigger certain logic in the kernel that is otherwise not reachable to regular users.
If the PAM modules' `debug` option is also enabled then most of the content of the file is written either to stdout, stderr, syslog or to the defined debug file. Therefore this can pose an information leak to access e.g. the contents of /etc/shadow, /root/.bash_history or similar sensitive files. Furthermore the symlink attack can be used to use other users' u2f_keys files in the authentication process.
- CVE-2019-12210 (information disclosure)
A file descriptor leak has been found in pam-u2f before 1.8.0. If the `debug` and `debug_file` options are set then the opened debug file will be inherited to the successfully authenticated user's process. Therefore this user can write further information to it, possibly filling up a privileged file system or manipulating the information found in the debug file. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation.

Resolution

Upgrade to 1.0.8-2. # pacman -Syu "pam-u2f>=1.0.8-2"
The problems have been fixed upstream in version 1.0.8.

References

https://seclists.org/oss-sec/2019/q2/149 https://bugzilla.suse.com/show_bug.cgi?id=1087061 https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3 https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62 https://security.archlinux.org/CVE-2019-12209 https://security.archlinux.org/CVE-2019-12210

Severity
Package : pam-u2f
Type : information disclosure
Remote : No
Link : https://security.archlinux.org/AVG-973

Workaround

A major mitigation for both issues is to remove the `debug` and `debug_file` options for `pam_u2f.so` in the PAM configuration. Furthermore enabling the `openasuser` option will mitigate the symlink attack in CVE-2019-12209.

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved