oss-sec mailing list archives

CVE Request -- pam_yubico -- Authentication bypass via NULL password

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 07 Nov 2011 12:15:48 +0100

Hello Kurt, Steve, vendors,

  a security flaw was found in the way pam_yubico, a pluggable
authentication module for yubikeys, performed user authentication,
when 'use_first_pass' PAM configuration option was not used and

pam_yubico module was configured as 'sufficient' in the PAMconfiguration. A remote attacker could use this flaw to circumvent

common authentication process and obtain access to the account in
question by providing a NULL value (pressing Ctrl-D keyboard
sequence) as the password string.

Relevant upstream patch:

[1]https://github.com/Yubico/yubico-pam/commit/4712da70cac159d5ca9579c1e4fac0645b674043


References:

[2]http://groups.google.com/group/yubico-devel/browse_thread/thread/3f179ec0e6845deb

[3] https://bugzilla.redhat.com/show_bug.cgi?id=733322

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- pam_yubico -- Authentication bypass via NULL password Jan Lieskovsky (Nov 07)
- Re: CVE Request -- pam_yubico -- Authentication bypass via NULL password Kurt Seifried (Nov 07)