Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 5 Jun 2019 11:59:31 +0200
From: Matthias Gerstner <>
Subject: pam-u2f: CVE-2019-12210: debug_file file descriptor leak,
 CVE-2019-12209: symlink attack on u2f_keys leading to possible information


pam-u2f [1] is a PAM module that allows to integrate universal 2nd
factor authenticators like YubiKey into the PAM stack. In the context of
a source code review [2] due to the inclusion of pam-u2f into SUSE Linux
two security issues in this PAM module have been uncovered as described
in the following sections.

CVE-2019-12210: debug_file file descriptor leak

If the `debug` and `debug_file` options are set then the opened debug
file will be inherited to the successfully authenticated user's process.
Therefore this user can write further information to it, possibly
filling up a privileged file system or manipulating the information
found in the debug file.

In some contexts the program utilizing PAM closes off leaked file
descriptors but it does work with su, for example, use the following
line in the PAM stack:

auth    optional debug debug_file=/tmp/u2f-debug.txt

Then prepare the debug file such that the PAM module can open it:

root# touch /tmp/u2f-debug.txt

Then perform su on yourself as an unprivileged user:

user$ su user
Password: XXX
user$ ls -l /proc/$$/fd
l-wx------ 1 user users 64  8. Mai 11:44 3 -> /tmp/u2f-debug.txt

As you can see the new user shell now has an open file descriptor for
the debug file.

CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak

The file `$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM
module. It can be a symlink pointing to an arbitrary file. The PAM
module only rejects non-regular files and files owned by other users
than root or the to-be-authenticated user. Even these checks are only
made after open()'ing the file, which may already trigger certain logic
in the kernel that is otherwise not reachable to regular users.

If the PAM modules' `debug` option is also enabled then most of the
content of the file is written either to stdout, stderr, syslog or to
the defined debug file.  Therefore this can pose an information leak to
access e.g.  the contents of /etc/shadow, /root/.bash_history or similar
sensitive files. Furthermore the symlink attack can be used to use other
users' u2f_keys files in the authentication process.

For example use the following line in the PAM stack:

auth    optional debug

Then prepare a suitable symlink:

user$ mkdir -p ~/.config/Yubico
user$ ln -s /etc/shadow ~/.config/Yubico/u2f_keys

Then authenticate the user on a text console:

host login: user
Password: XXX
debug(pam_u2f):  Authorization line: avahi:!:18019::::::

Notice the lines from /etc/shadow being output on the terminal.

Bugfixes and Mitigations

The bugfix for CVE-2019-12210 is found in [3]. It solves the issue by
passing `O_CLOEXEC` and more conservative flags to related `open()`

The bugfix for CVE-2019-12209 is found in [4]. It solves the issue by
dropping privileges to the to-be-authenticated user before accessing the
`u2f_keys` file.

Both bugfixes are contained in the upstream release 1.0.8 [5].

A major mitigation for both issues is to remove the `debug` and
`debug_file` options for `` in the PAM configuration.
Furthermore enabling the `openasuser` option will mitigate the symlink
attack in CVE-2019-12209.

Timeline and Responsible Disclosure

Communication with upstream was responsive and constructive over the
complete timeline.

2019-05-08: I reported the findings privately to the upstream maintainer.
2019-05-20: has been involved and we worked out and
    reviewed patches together that have been agreed upon by this time.
2019-05-22: Yubico assigned CVEs for the issues.
2019-06-04: This was the established publication date and Yubico
    released a fixed version as planned.



Matthias Gerstner <>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah
HRB 21284 (AG Nuernberg)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.