Bug 1135729 (CVE-2019-12209)

Summary: VUL-0: CVE-2019-12209: pam_u2f: symlinks are followed
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, smash_bz, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/233359/
Whiteboard: CVSSv2:NVD:CVE-2019-12209:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv3:NVD:CVE-2019-12209:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSSv3:SUSE:CVE-2019-12209:4.6:(AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Matthias Gerstner 2019-05-21 08:51:16 UTC 
Split-off from audit bug 1087061: This issue is for tracking the following of symlinks in the user's home directory for the auth_file:

```
    the file `$HOME/.config/Yubico/u2f_keys` is blindly followed by the
    pam module. It can be a symlink pointing to an arbitrary file. The PAM
    module only rejects non- regular files and files owned by other users
    than root or the to-be- authenticated user. Even these checks are only
    made after open()ing the file, which may already trigger certain logic
    in the kernel that is otherwise not reachable to regular users.
  
    If `debug` is also enabled then most of the content of the file is
    written either to stdout, stderr, syslog or to the defined debug
    file. Therefore this can pose a big information leak to access e.g.
    the contents of /etc/shadow, /root/.bash_history or similar sensitive
    files.
  
    For example use the following line in the PAM stack:
  
    auth    optional        pam_u2f.so debug
  
    Then prepare a suitable symlink:
  
    user$ mkdir -p ~/.config/Yubico
    user$ ln -s /etc/shadow ~/.config/Yubico/u2f_keys
  
    Then authenticate the user on a text console:
  
    host login: user
    Password: XXX
    [...]
    debug(pam_u2f):  Authorization line: avahi:!:18019::::::
    [...]
  
    Notice the lines from /etc/shadow being output on the terminal.
```

This finding is still undisclosed and the publication date for this is:

CRD: 2019-06-04
Comment 4 Karol Babioch 2019-05-28 19:53:08 UTC 
Addressed this in SLE codestreams:

- https://build.suse.de/request/show/193686
- https://build.suse.de/request/show/193687

The openSUSE codestreams will either inherit it from SLE, or will be updated/bumped once this becomes public. Not sure what else will change with next upstream release, but personally I would prefer to bump the version instead of maintaining patches on top of an old release.
Comment 5 Bernhard Wiedemann 2019-05-28 20:35:33 UTC 
This is an autogenerated message for IBS integration:
This bug (1135729) was mentioned in
https://build.suse.de/request/show/193688 SLE-15 / pam_u2f
Comment 6 Matthias Gerstner 2019-06-04 13:10:40 UTC 
Upstream published the findings by now. The patches [1], [2] and the release
notes [3] are available.

[1]: https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3
[2]: https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62
[3]: https://developers.yubico.com/pam-u2f/Release_Notes.html
Comment 8 Swamp Workflow Management 2019-07-04 19:11:28 UTC 
SUSE-SU-2019:1750-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1128140,1135727,1135729
CVE References: CVE-2019-12209,CVE-2019-12210,CVE-2019-9578
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libu2f-host-1.1.6-3.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    libu2f-host-1.1.6-3.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libu2f-host-1.1.6-3.6.1, pam_u2f-1.0.8-3.3.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    libu2f-host-1.1.6-3.6.1, pam_u2f-1.0.8-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-07-04 19:12:29 UTC 
SUSE-SU-2019:1749-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1124781,1128140,1135727,1135729
CVE References: CVE-2018-20340,CVE-2019-12209,CVE-2019-12210,CVE-2019-9578
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    libu2f-host-1.1.6-3.5.1, pam_u2f-1.0.8-3.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    libu2f-host-1.1.6-3.5.1, pam_u2f-1.0.8-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-07-19 10:13:04 UTC 
openSUSE-SU-2019:1708-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1128140,1135727,1135729
CVE References: CVE-2019-12209,CVE-2019-12210,CVE-2019-9578
Sources used:
openSUSE Leap 15.1 (src):    libu2f-host-1.1.6-lp151.2.6.1, pam_u2f-1.0.8-lp151.2.3.1
Comment 11 Swamp Workflow Management 2019-07-19 19:18:35 UTC 
openSUSE-SU-2019:1725-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1128140,1135727,1135729
CVE References: CVE-2019-12209,CVE-2019-12210,CVE-2019-9578
Sources used:
openSUSE Leap 15.0 (src):    libu2f-host-1.1.6-lp150.10.1, pam_u2f-1.0.8-lp150.7.1
Comment 12 Wolfgang Frisch 2020-10-19 16:10:52 UTC 
Released.