Yubico PAM Module prior to 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as 'sufficient' in the PAM configuration. A remote attacker could use this flaw to circumvent common authentication process and obtain access to the account in question by providing a NULL value (pressing Ctrl-D keyboard sequence) as the password string.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
yubico pam_module |
||
debian debian linux 8.0 |
||
debian debian linux 9.0 |
||
debian debian linux 10.0 |