NetBSD Problem Report #58995

From www@netbsd.org  Wed Jan 15 12:33:03 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits)
	 client-signature RSA-PSS (2048 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id E2AE21A923A
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 15 Jan 2025 12:33:02 +0000 (UTC)
Message-Id: <20250115123301.BC2AE1A923B@mollari.NetBSD.org>
Date: Wed, 15 Jan 2025 12:33:01 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: pam-u2f CVE-2025-23013
X-Send-Pr-Version: www-1.0

>Number:         58995
>Category:       security
>Synopsis:       pam-u2f CVE-2025-23013
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    security-officer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 15 12:35:00 +0000 2025
>Originator:     Taylor R Campbell
>Release:        
>Organization:
The NetU2F Pamdation
>Environment:
>Description:
pam-u2f needs an update.  Summary from Yubico (https://www.yubico.com/support/security-advisories/ysa-2025-01/):

> Yubico’s open source pam-u2f software package implements a Pluggable
> Authentication Module (PAM) that can be deployed to support
> authentication using a YubiKey or other FIDO compliant authenticators
> on macOS or Linux. This software package has an issue which allows
> for an authentication bypass in some configurations. An attacker
> would require the ability to access the system as an unprivileged
> user. Depending on the configuration, the attacker may also need to
> know the user’s password. To resolve this, Yubico recommends
> customers upgrade to the latest version of pam-u2f.

See also oss-security posting:
https://www.openwall.com/lists/oss-security/2025/01/15/1
>How-To-Repeat:
use and/or abuse pam-u2f
>Fix:
1. maybe work around via clever pam config
2. update pam-u2f
3. audit rest of tree for PAM_IGNORE abuse
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.