Bug 1186577 - (CVE-2021-31924) VUL-0: CVE-2021-31924: pam_u2f: Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or crypto
(CVE-2021-31924)
VUL-0: CVE-2021-31924: pam_u2f: Yubico pam-u2f before 1.1.1 has a logic issue...
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Paolo Perego
Security Team bot
https://smash.suse.de/issue/300780/
CVSSv3.1:SUSE:CVE-2021-31924:7.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-28 07:41 UTC by Marcus Meissner
Modified: 2021-05-28 12:29 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-05-28 07:41:02 UTC
CVE-2021-31924

Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f
configuration and the application used, could lead to a local PIN bypass. This
issue does not allow user presence (touch) or cryptographic signature
verification to be bypassed, so an attacker would still need to physically
possess and interact with the YubiKey or another enrolled authenticator. If
pam-u2f is configured to require PIN authentication, and the application using
pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to
perform a FIDO2 authentication without PIN. If this authentication is
successful, the PIN requirement is bypassed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31924
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31924
http://www.cvedetails.com/cve/CVE-2021-31924/
https://www.yubico.com/support/security-advisories/ysa-2021-03
https://developers.yubico.com/pam-u2f/
Comment 1 Paolo Perego 2021-05-28 09:08:41 UTC
The version 1.1.1 fixing the vulnerability is already in Factory. I'll check for other versions
Comment 2 Paolo Perego 2021-05-28 10:09:39 UTC
I double checked for SLE where version 1.0.8 is provided. 

PIN verification is introduced only in version 1.1.0 so the package provided in SLE-12 and SLE-15 is not affected.