ASA-2019-00322 – pam-u2f: Symlink attack on u2f_keys leading to possible information leak

Allele Security Alert



ASA-2019-00322, CVE-2019-12209


Symlink attack on u2f_keys leading to possible information leak





Affected version(s)

pam-u2f versions before 1.0.8

Fixed version(s)

pam-u2f version 1.0.8

Proof of concept



The file `$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module. It can be a symlink pointing to an arbitrary file. The PAM module only rejects non-regular files and files owned by other users than root or the to-be-authenticated user. Even these checks are only made after open()’ing the file, which may already trigger certain logic in the kernel that is otherwise not reachable to regular users.

Technical details

If the PAM modules’ `debug` option is also enabled then most of the content of the file is written either to stdout, stderr, syslog or to the defined debug file. Therefore this can pose an information leak to access e.g. the contents of /etc/shadow, /root/.bash_history or similar sensitive files. Furthermore the symlink attack can be used to use other users’ u2f_keys files in the authentication process.

For example use the following line in the PAM stack:

auth optional debug

Then prepare a suitable symlink:

user$ mkdir -p ~/.config/Yubico
user$ ln -s /etc/shadow ~/.config/Yubico/u2f_keys

Then authenticate the user on a text console:

host login: user
Password: XXX
debug(pam_u2f): Authorization line: avahi:!:18019::::::

Notice the lines from /etc/shadow being output on the terminal.


Matthias Gerstner (SUSE Security Team)


pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak

Drop privileges by default when opening user-related files

Release Notes




If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 8, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.