Allele Security Alert
ASA-2019-00321
Identifier(s)
ASA-2019-00321, CVE-2019-12210
Title
debug_file file descriptor leak
Vendor(s)
Yubico
Product(s)
pam-u2f
Affected version(s)
pam-u2f versions before 1.0.8
Fixed version(s)
pam-u2f version 1.0.8
Proof of concept
Unknown
Description
If the `debug` and `debug_file` options are set then the opened debug file will be inherited to the successfully authenticated user’s process. Therefore this user can write further information to it, possibly filling up a privileged file system or manipulating the information found in the debug file.
Technical details
In some contexts the program utilizing PAM closes off leaked file descriptors but it does work with su, for example, use the following line in the PAM stack:
auth optional pam_u2f.so debug debug_file=/tmp/u2f-debug.txt
Then prepare the debug file such that the PAM module can open it:
root# touch /tmp/u2f-debug.txt
Then perform su on yourself as an unprivileged user:
user$ su user Password: XXX user$ ls -l /proc/$$/fd [...] l-wx------ 1 user users 64 8. Mai 11:44 3 -> /tmp/u2f-debug.txt
As you can see the new user shell now has an open file descriptor for the debug file.
Credits
Matthias Gerstner (SUSE Security Team)
Reference(s)
pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak
https://seclists.org/oss-sec/2019/q2/149
Release Notes
https://developers.yubico.com/pam-u2f/Release_Notes.html
Do not leak file descriptor when doing exec
https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62
pam-u2f
https://developers.yubico.com/pam-u2f/
CVE-2019-12210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12210
CVE-2019-12210
https://nvd.nist.gov/vuln/detail/CVE-2019-12210
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 8, 2019