Bug 1186577 (CVE-2021-31924)

Summary: VUL-0: CVE-2021-31924: pam_u2f: Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or crypto
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Paolo Perego <paolo.perego>
Status: RESOLVED UPSTREAM QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/300780/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-31924:7.3:(AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2021-05-28 07:41:02 UTC
CVE-2021-31924

Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f
configuration and the application used, could lead to a local PIN bypass. This
issue does not allow user presence (touch) or cryptographic signature
verification to be bypassed, so an attacker would still need to physically
possess and interact with the YubiKey or another enrolled authenticator. If
pam-u2f is configured to require PIN authentication, and the application using
pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to
perform a FIDO2 authentication without PIN. If this authentication is
successful, the PIN requirement is bypassed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31924
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31924
http://www.cvedetails.com/cve/CVE-2021-31924/
https://www.yubico.com/support/security-advisories/ysa-2021-03
https://developers.yubico.com/pam-u2f/
Comment 1 Paolo Perego 2021-05-28 09:08:41 UTC
The version 1.1.1 fixing the vulnerability is already in Factory. I'll check for other versions
Comment 2 Paolo Perego 2021-05-28 10:09:39 UTC
I double checked for SLE where version 1.0.8 is provided. 

PIN verification is introduced only in version 1.1.0 so the package provided in SLE-12 and SLE-15 is not affected.