Himmelblau Invalid Hello PIN Authentication Vulnerability on Linux

A vulnerability in Himmelblau versions 0.9.10 through 0.9.16 allows users to authenticate to a Linux host using an invalid Linux Hello PIN, but only when the host is offline. This flaw arises from an incorrect assumption in the 'acquire_token_by_hello_for_business_key' function, which failed to properly validate Hello key unlocks before acknowledging an offline authentication success. As a result, users can gain local system access, but Single Sign-On (SSO) fails because the network is down and tokens cannot be issued. Systems running Rocky Linux 8 and its variants are not affected.

Impact

Exploitation of this vulnerability allows for authentication with an invalid Hello PIN, bypassing normal validation processes. While this grants access to the local system, it disrupts Single Sign-On (SSO) functionality, creating a potential denial-of-service scenario for authentication processes that rely on SSO.

Reproduction

To reproduce this vulnerability, authenticate to a Linux host using Himmelblau while the host is offline and Hello PIN authentication is enabled. The authentication process will accept an invalid Hello PIN, bypassing the necessary validation.

Remediation

Users can upgrade to Himmelblau version 0.9.17 or later. For those unable to upgrade immediately, the Hello PIN authentication can be disabled by setting 'enable_hello = false' in the Himmelblau configuration file.