Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2019-12209

Published: 04/06/2019 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Yubico

Vulnerability Summary

A symbolic link attack has been found in pam-u2f prior to 1.8.0. The file `$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module. It can be a symlink pointing to an arbitrary file. The PAM module only rejects non-regular files and files owned by other users than root or the to-be-authenticated user. Even these checks are only made after open()'ing the file, which may already trigger certain logic in the kernel that is otherwise not reachable to regular users. If the PAM modules' `debug` option is also enabled then most of the content of the file is written either to stdout, stderr, syslog or to the defined debug file. Therefore this can pose an information leak to access e.g. the contents of /etc/shadow, /root/.bash_history or similar sensitive files. Furthermore the symlink attack can be used to use other users' u2f_keys files in the authentication process.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

yubico pam-u2f 1.0.7

Vendor Advisories

Debian CVElist Bug Report Logs: pam-u2f: CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak
Debian Bug report logs - #930021 pam-u2f: CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak Package: src:pam-u2f; Maintainer for src:pam-u2f is Debian Authentication Maintainers <team+auth@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 5 Jun 2019 10 ...
Arch Linux Issues:
A symbolic link attack has been found in pam-u2f before 180 The file `$HOME/config/Yubico/u2f_keys` is blindly followed by the PAM module It can be a symlink pointing to an arbitrary file The PAM module only rejects non-regular files and files owned by other users than root or the to-be-authenticated user Even these checks are only made afte ...

Mailing Lists

Full Disclosure: pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible inform ...

References

CWE-59https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3https://developers.yubico.com/pam-u2f/Release_Notes.htmlhttp://www.openwall.com/lists/oss-security/2019/06/05/1http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5FOR4ADC356JPCHAJI5UXZORLC3VNBPS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCGU6UQLI3ZTW3UYCTMQW7VDL5M4LCWR/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930021https://nvd.nist.govhttps://security.archlinux.org/CVE-2019-12209
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
authentication bypassCVE-2024-30051remoteCVE-2024-27954CVE-2023-51483CVE-2023-47782SSRFCVE-2024-24715CVE-2023-52424
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook