cbcvebase.
CVE-2011-4120
published 2019-11-26

CVE-2011-4120: Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.02%
78.5th percentile
Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as 'sufficient' in the PAM configuration. A remote attacker could use this flaw to circumvent common authentication process and obtain access to the account in question by providing a NULL value (pressing Ctrl-D keyboard sequence) as the password string.

Affected

10 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianyubico-pam< yubico-pam 2.10-1 (bookworm)yubico-pam 2.10-1 (bookworm)
yubico-pamyubico-pam
yubico-pamyubico-pam>= 0 < 2.10-12.10-1
yubico-pamyubico-pam>= 0 < 2.10-12.10-1
yubico-pamyubico-pam>= 0 < 2.10-12.10-1
yubico-pamyubico-pam>= 0 < 2.10-12.10-1
yubicopam_module< 2.102.10

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/Yubico/yubico-pam/commit/4712da70cac159d5ca9579c1e4fac0645b674043
  • Authentication bypass is triggered by supplying a NULL password (Ctrl-D keyboard sequence) at the pam_yubico password prompt when 'use_first_pass' is NOT set and the module is configured as 'sufficient'.
  • Monitor PAM authentication logs for successful logins via pam_yubico where no password/OTP was supplied (empty/null credential). Flag any pam_yubico 'sufficient' auth success events with a blank password field.
  • Affected pam_yubico versions are 2.4 through 2.7 (and up to pre-2.10); flag systems running these versions with pam_yubico configured as 'sufficient' without 'use_first_pass'.
  • ·The bypass only applies when 'use_first_pass' PAM option is NOT used AND pam_yubico is configured as 'sufficient' in the PAM stack. Configurations using 'use_first_pass' or 'required'/'requisite' are not directly affected by this specific bypass path.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.