Subject: [ASA-201906-5] pam-u2f: information disclosure Arch Linux Security Advisory ASA-201906-5 ========================================= Severity: Medium Date : 2019-06-07 CVE-ID : CVE-2019-12209 CVE-2019-12210 Package : pam-u2f Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-973 Summary ======= The package pam-u2f before version 1.0.8-2 is vulnerable to information disclosure. Resolution ========== Upgrade to 1.0.8-2. # pacman -Syu "pam-u2f>=1.0.8-2" The problems have been fixed upstream in version 1.0.8. Workaround ========== A major mitigation for both issues is to remove the `debug` and `debug_file` options for `pam_u2f.so` in the PAM configuration. Furthermore enabling the `openasuser` option will mitigate the symlink attack in CVE-2019-12209. Description =========== - CVE-2019-12209 (information disclosure) A symbolic link attack has been found in pam-u2f before 1.8.0. The file `$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module. It can be a symlink pointing to an arbitrary file. The PAM module only rejects non-regular files and files owned by other users than root or the to-be-authenticated user. Even these checks are only made after open()'ing the file, which may already trigger certain logic in the kernel that is otherwise not reachable to regular users. If the PAM modules' `debug` option is also enabled then most of the content of the file is written either to stdout, stderr, syslog or to the defined debug file. Therefore this can pose an information leak to access e.g. the contents of /etc/shadow, /root/.bash_history or similar sensitive files. Furthermore the symlink attack can be used to use other users' u2f_keys files in the authentication process. - CVE-2019-12210 (information disclosure) A file descriptor leak has been found in pam-u2f before 1.8.0. If the `debug` and `debug_file` options are set then the opened debug file will be inherited to the successfully authenticated user's process. Therefore this user can write further information to it, possibly filling up a privileged file system or manipulating the information found in the debug file. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation. Impact ====== An authenticated user can access sensitive information via a crafted symlink or a leaked file descriptor. References ========== https://seclists.org/oss-sec/2019/q2/149 https://bugzilla.suse.com/show_bug.cgi?id=1087061 https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3 https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62 https://security.archlinux.org/CVE-2019-12209 https://security.archlinux.org/CVE-2019-12210