CVE-2019-12209

openSUSE Security Advisory - openSUSE-SU-2019:1725-1

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information.

Yubico pam-u2f 1.0.7 intenta analizar el archivo de configuración configurado (predeterminado $ HOME / .config / Yubico / u2f_keys) como root (a menos que se haya habilitado openasuser), y no verifica correctamente que la ruta carece de enlaces simbólicos que apuntan a otros archivos en el Sistema propiedad de root. Si la opción de depuración está habilitada en la configuración de PAM, se registrará parte del contenido del archivo de un objetivo de enlace simbólico, posiblemente revelando información confidencial.

An update that fixes three vulnerabilities is now available. This update for libu2f-host and pam_u2f to version 1.0.8 fixes the following issues. Security issues fixed for libu2f-host. Fixed a memory leak due to a wrong parse of init's response. Security issues fixed for pam_u2f. Fixed an issue where symlinks in the user's directory were followed. Fixed file descriptor leaks. This update was imported from the SUSE:SLE-15:Update update project.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-05-20 CVE Reserved
2019-06-04 CVE Published
2024-08-04 CVE Updated
2024-08-04 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-59: Improper Link Resolution Before File Access ('Link Following')

CAPEC

References (7)

URL	Tag	Source

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2019/06/05/1	2024-08-04

URL	Date	SRC
https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html	2023-11-07
https://developers.yubico.com/pam-u2f/Release_Notes.html	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5FOR4ADC356JPCHAJI5UXZORLC3VNBPS	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCGU6UQLI3ZTW3UYCTMQW7VDL5M4LCWR	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Yubico Search vendor "Yubico"		Pam-u2f Search vendor "Yubico" for product "Pam-u2f"				1.0.7 Search vendor "Yubico" for product "Pam-u2f" and version "1.0.7"		-		Affected