oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request -- pam_yubico -- Authentication bypass via NULL password

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 07 Nov 2011 08:49:23 -0700
On 11/07/2011 04:15 AM, Jan Lieskovsky wrote:

Hello Kurt, Steve, vendors,

  a security flaw was found in the way pam_yubico, a pluggable
authentication module for yubikeys, performed user authentication,
when 'use_first_pass' PAM configuration option was not used and
pam_yubico module was configured as 'sufficient' in the PAM
configuration. A remote attacker could use this flaw to circumvent
common authentication process and obtain access to the account in
question by providing a NULL value (pressing Ctrl-D keyboard
sequence) as the password string.

Relevant upstream patch:
[1]
https://github.com/Yubico/yubico-pam/commit/4712da70cac159d5ca9579c1e4fac0645b674043

References:
[2]
http://groups.google.com/group/yubico-devel/browse_thread/thread/3f179ec0e6845deb
[3] https://bugzilla.redhat.com/show_bug.cgi?id=733322

Could you allocate a CVE id for this?


Please use CVE-2011-4120 for this issue.

Thank you && Regards, Jan.
-- 
Jan iankko Lieskovsky / Red Hat Security Response Team



-- 

-Kurt Seifried / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: