oss-sec mailing list archives
Re: CVE Request -- pam_yubico -- Authentication bypass via NULL password
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 07 Nov 2011 08:49:23 -0700
On 11/07/2011 04:15 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, a security flaw was found in the way pam_yubico, a pluggable authentication module for yubikeys, performed user authentication, when 'use_first_pass' PAM configuration option was not used and pam_yubico module was configured as 'sufficient' in the PAM configuration. A remote attacker could use this flaw to circumvent common authentication process and obtain access to the account in question by providing a NULL value (pressing Ctrl-D keyboard sequence) as the password string. Relevant upstream patch: [1] https://github.com/Yubico/yubico-pam/commit/4712da70cac159d5ca9579c1e4fac0645b674043 References: [2] http://groups.google.com/group/yubico-devel/browse_thread/thread/3f179ec0e6845deb [3] https://bugzilla.redhat.com/show_bug.cgi?id=733322 Could you allocate a CVE id for this?
Please use CVE-2011-4120 for this issue.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
-- -Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE Request -- pam_yubico -- Authentication bypass via NULL password Jan Lieskovsky (Nov 07)
- Re: CVE Request -- pam_yubico -- Authentication bypass via NULL password Kurt Seifried (Nov 07)