CVE-2021-31924
MEDIUMYubico pam-u2f < 1.1.1 - Local PIN Bypass via NULL PIN Submission
Title source: llmDescription
Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_misc
https://www.yubico.com/support/security-advisories/ysa-2021-03
Product, Vendor Advisory x_refsource_misc
https://developers.yubico.com/pam-u2f/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRBVOZEMVO72FV4Z5O4GBGSURXHWRGD3/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IL3I5AKECLMK4ADLLACLOEF7H5CMNDP2/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-11
Scores
CVSS v3
6.8
EPSS
0.0033
EPSS Percentile
25.1%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (3)
fedoraproject/fedora
34
fedoraproject/fedora
35
yubico/pam-u2f
< 1.1.1
Published
May 26, 2021
Tracked Since
Feb 18, 2026