First published: Tue May 25 2021(Updated: )
Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Yubico pam-u2f | <1.1.1 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-31924 is a vulnerability in Yubico pam-u2f before version 1.1.1 that can lead to a local PIN bypass.
CVE-2021-31924 can allow an attacker to bypass a local PIN requirement in Yubico pam-u2f.
No, user presence (touch) or cryptographic signature verification are not affected by CVE-2021-31924.
Yubico pam-u2f before version 1.1.1 is affected by CVE-2021-31924.
To fix the CVE-2021-31924 vulnerability, you should update Yubico pam-u2f to version 1.1.1 or newer.