pam_usb NULL Pointer Dereference Vulnerability Leading to Denial-of-Service

A NULL pointer dereference vulnerability has been identified in pam_usb versions prior to 0.8.7. The issue arises in src/device.c, where the return values of udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() are passed directly to strcmp() without checking for NULL. According to the GIO/UDisks API documentation, these accessors can return NULL for devices that do not provide the corresponding information. Passing NULL to strcmp() results in undefined behavior, typically causing a segmentation fault (SIGSEGV). This vulnerability can be exploited by an attacker with physical access who connects a USB device or mass-storage gadget that does not expose a serial number via UDisks. The PAM module crashes during device enumeration, leading to authentication failures for all users on the affected service until the device is removed. On a single-user workstation with pam_usb configured for login, this causes a complete lockout.

Impact

Exploitation of this vulnerability causes the PAM module to crash, disrupting authentication processes. This failure can lock out all users on the affected service until the problematic USB device is removed. In single-user workstations relying solely on pam_usb for login, this results in a total access denial.

Remediation

Users can upgrade to pam_usb version 0.8.7 or later, where this vulnerability has been fixed. The update is available on the GitHub repository for pam_usb.