Local PIN Bypass Vulnerability in Yubico PAM-U2F
CVE-2021-31924

6.8MEDIUM

Key Information:

Vendor

Yubico

Status
Pam-u2f
Vendor
CVE Published:
26 May 2021

What is CVE-2021-31924?

Yubico's pam-u2f prior to version 1.1.1 contains a logic flaw that may permit attackers to bypass the PIN requirement through specific configurations. This vulnerability arises when pam-u2f is set to require PIN authentication, and attended applications inadvertently permit NULL submissions as the PIN. Successfully exploiting this weakness allows the authentication process to proceed without the necessary PIN, enabling FIDO2 authentication while neglecting the PIN, provided the attacker has physical access to the YubiKey or an equivalent registered authenticator.

References

https://www.yubico.com/support/security-advisories/ysa-20...
x_refsource_MISC
https://developers.yubico.com/pam-u2f/
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.