Bug 1871217 (CVE-2020-24612)

Summary: CVE-2020-24612 selinux-policy: SELinux prevents pam-u2f to work correctly, disabling the 2nd factor during authentication
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dwalsh, grepl.miroslav, lvrabec, mmalik, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that when SELinux works in enforced mode, pam-u2f is not allowed to read the user's U2F configuration file. If configured with 'nouserok' option, which is the default when configured with the authselect tool, if that file cannot be read, the 2nd factor is disabled. So in such a configuration, an attacker with only the knowledge of the password can log in without the need for the 2nd factor.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-21 21:15:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1860888, 1871219    
Bug Blocks: 1861064    

Description Cedric Buissart 2020-08-21 15:56:02 UTC 
By default, authselect configures pam-u2f such as if a user's configuration file can not be read, the 2nd factor will be ignored and only the password will be taken into account.

This is an issue in SELinux environments, where SELinux runs in enforcing mode and prevents pam-u2f to read the user's configuration due to missing policies.
Comment 2 Cedric Buissart 2020-08-21 15:56:08 UTC 
Mitigation:

To manually permit the read of the config file, the file's SELinux context can be modified :
For example, for a given user '<USER>' :
# chcon -R -t auth_home_t ~<USER>/.config/Yubico
Comment 4 Cedric Buissart 2020-08-21 15:59:38 UTC 
Created selinux-policy tracking bugs for this issue:

Affects: fedora-all [bug 1871219]
Comment 5 Product Security DevOps Team 2020-08-21 21:15:20 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 6 Cedric Buissart 2020-08-24 18:57:45 UTC 
Acknowledgments:

Name: Dietmar Lippold
Comment 7 Cedric Buissart 2020-08-25 07:11:49 UTC 
External References:

https://bugzilla.redhat.com/show_bug.cgi?id=1860888
Comment 8 Cedric Buissart 2020-08-25 07:12:50 UTC 
Upstream fix:
* Add file context for ~/.config/Yubico 
https://github.com/fedora-selinux/selinux-policy/commit/71e1989028802c7875d3436fd3966c587fa383fb
Comment 10 Cedric Buissart 2020-09-07 15:31:47 UTC 
Statement:

Red Hat Enterprise Linux is not affected by this issue as it does not ship pam-u2f.

In Fedora, updating the package does not trigger a relabeling of the users' pre-existing 2nd factor configuration (including root), and such may need to be manually updated, using the `fixfiles onboot` command, followed by a reboot (or by applying the mitigation).