Yubico pam-u2f Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in Yubico's pam-u2f package, prior to version 1.3.1. This Pluggable Authentication Module (PAM) allows authentication using YubiKeys or other FIDO-compliant devices on macOS and Linux. The vulnerability arises from improper handling of PAM_IGNORE return values in the pam_sm_authenticate() function, which can lead to an authentication bypass in certain configurations. An unprivileged user may exploit this issue, and depending on the setup, knowledge of the user's password might also be required.

Impact

Exploitation of this vulnerability can lead to unauthorized privilege escalation, particularly if the user has access to sudo.

Reproduction

The vulnerability can be reproduced by configuring pam-u2f in a way that triggers a PAM_IGNORE return value, such as by corrupting the authfile or causing memory allocation errors. This can be done by removing or damaging the authfile when pam-u2f is set to return PAM_SUCCESS, or by allocating excessive memory to create a memory allocation error, which would bypass the second authentication factor.

Remediation

Users are advised to upgrade to pam-u2f version 1.3.1 or later. For Debian users, the updated version is available in the Debian LTS repository. Yubico also recommends checking the version of pam-u2f installed and upgrading if necessary.