CVE-2019-12209 log

Source
Severity Medium
Remote No
Type Information disclosure
Description
A symbolic link attack has been found in pam-u2f before 1.8.0. The file `$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module. It can be a symlink pointing to an arbitrary file. The PAM module only rejects non-regular files and files owned by other users than root or the to-be-authenticated user. Even these checks are only made after open()'ing the file, which may already trigger certain logic in the kernel that is otherwise not reachable to regular users.

If the PAM modules' `debug` option is also enabled then most of the content of the file is written either to stdout, stderr, syslog or to the defined debug file. Therefore this can pose an information leak to access e.g.  the contents of /etc/shadow, /root/.bash_history or similar sensitive files. Furthermore the symlink attack can be used to use other
users' u2f_keys files in the authentication process.
Group Package Affected Fixed Severity Status Ticket
AVG-973 pam-u2f 1.0.7-2 1.0.8-2 Medium Fixed
Date Advisory Group Package Severity Type
07 Jun 2019 ASA-201906-5 AVG-973 pam-u2f Medium information disclosure
References
https://seclists.org/oss-sec/2019/q2/149
https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3