CVE-2011-4120
published 2019-11-26CVE-2011-4120: Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.02%
78.5th percentile
Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as 'sufficient' in the PAM configuration. A remote attacker could use this flaw to circumvent common authentication process and obtain access to the account in question by providing a NULL value (pressing Ctrl-D keyboard sequence) as the password string.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | yubico-pam | < yubico-pam 2.10-1 (bookworm) | yubico-pam 2.10-1 (bookworm) |
| yubico-pam | yubico-pam | — | — |
| yubico-pam | yubico-pam | >= 0 < 2.10-1 | 2.10-1 |
| yubico-pam | yubico-pam | >= 0 < 2.10-1 | 2.10-1 |
| yubico-pam | yubico-pam | >= 0 < 2.10-1 | 2.10-1 |
| yubico-pam | yubico-pam | >= 0 < 2.10-1 | 2.10-1 |
| yubico | pam_module | < 2.10 | 2.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass is triggered by supplying a NULL password (Ctrl-D keyboard sequence) at the pam_yubico password prompt when 'use_first_pass' is NOT set and the module is configured as 'sufficient'. ↗
- →Monitor PAM authentication logs for successful logins via pam_yubico where no password/OTP was supplied (empty/null credential). Flag any pam_yubico 'sufficient' auth success events with a blank password field. ↗
- →Affected pam_yubico versions are 2.4 through 2.7 (and up to pre-2.10); flag systems running these versions with pam_yubico configured as 'sufficient' without 'use_first_pass'. ↗
- ·The bypass only applies when 'use_first_pass' PAM option is NOT used AND pam_yubico is configured as 'sufficient' in the PAM stack. Configurations using 'use_first_pass' or 'required'/'requisite' are not directly affected by this specific bypass path. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4qc6-w2f8-x2pc: Yubico PAM Module before 2
ghsa_unreviewed·2022-04-22
CVE-2011-4120 [CRITICAL] CWE-20 GHSA-4qc6-w2f8-x2pc: Yubico PAM Module before 2
Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as 'sufficient' in the PAM configuration. A remote attacker could use this flaw to circumvent common authentication process and obtain access to the account in question by providing a NULL value (pressing Ctrl-D keyboard sequence) as the password string.
OSV
CVE-2011-4120: Yubico PAM Module before 2
osv·2019-11-26·CVSS 9.8
CVE-2011-4120 [CRITICAL] CVE-2011-4120: Yubico PAM Module before 2
Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as 'sufficient' in the PAM configuration. A remote attacker could use this flaw to circumvent common authentication process and obtain access to the account in question by providing a NULL value (pressing Ctrl-D keyboard sequence) as the password string.
Debian
CVE-2011-4120: yubico-pam - Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass...
vendor_debian·2011·CVSS 9.8
CVE-2011-4120 [CRITICAL] CVE-2011-4120: yubico-pam - Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass...
Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as 'sufficient' in the PAM configuration. A remote attacker could use this flaw to circumvent common authentication process and obtain access to the account in question by providing a NULL value (pressing Ctrl-D keyboard sequence) as the password string.
Scope: local
bookworm: resolved (fixed in 2.10-1)
bullseye: resolved (fixed in 2.10-1)
forky: resolved (fixed in 2.10-1)
sid: resolved (fixed in 2.10-1)
trixie: resolved (fixed in 2.10-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2011-4120 pam_yubico: Authentication bypass via NULL password [epel-all]
bugzilla·2011-11-07·CVSS 9.8
CVE-2011-4120 [CRITICAL] CVE-2011-4120 pam_yubico: Authentication bypass via NULL password [epel-all]
CVE-2011-4120 pam_yubico: Authentication bypass via NULL password [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=733322
Please note: this issue affects multip
Bugzilla
CVE-2011-4120 pam_yubico: Authentication bypass via NULL password [fedora-all]
bugzilla·2011-11-07·CVSS 9.8
CVE-2011-4120 [CRITICAL] CVE-2011-4120 pam_yubico: Authentication bypass via NULL password [fedora-all]
CVE-2011-4120 pam_yubico: Authentication bypass via NULL password [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=733322
Please note: this issue affects mult
Bugzilla
CVE-2011-4120 pam_yubico: Authentication bypass via NULL password
bugzilla·2011-08-25·CVSS 9.8
CVE-2011-4120 [CRITICAL] CVE-2011-4120 pam_yubico: Authentication bypass via NULL password
CVE-2011-4120 pam_yubico: Authentication bypass via NULL password
Created attachment 519836
Patch that solves this major security bug
What steps will reproduce the problem?
1. When pressing Ctrl-D when Yubico PAM Module prompts for password.
What is the expected output? What do you see instead?
It just login without asking password
What version of the product are you using? On what operating system?
Linux OS. From version 2.4 to 2.7 as I can see
Please provide any additional information below.
Patch included that solves the problem.
Discussion:
Released version 2.8 that resolves the issue.
---
This is pretty frightening. I'm happy to report I cannot reproduce it, however. Perhaps someone could include more details about PAM config that reproduces it. If this bug has also be r
https://access.redhat.com/security/cve/cve-2011-4120https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4120https://security-tracker.debian.org/tracker/CVE-2011-4120https://www.openwall.com/lists/oss-security/2011/11/07/6https://access.redhat.com/security/cve/cve-2011-4120https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4120https://security-tracker.debian.org/tracker/CVE-2011-4120https://www.openwall.com/lists/oss-security/2011/11/07/6
2019-11-26
Published