Bug 1871217 (CVE-2020-24612)

Summary: CVE-2020-24612 selinux-policy: SELinux prevents pam-u2f to work correctly, disabling the 2nd factor during authentication
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dwalsh, grepl.miroslav, lvrabec, mmalik, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that when SELinux works in enforced mode, pam-u2f is not allowed to read the user's U2F configuration file. If configured with 'nouserok' option, which is the default when configured with the authselect tool, if that file cannot be read, the 2nd factor is disabled. So in such a configuration, an attacker with only the knowledge of the password can log in without the need for the 2nd factor.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-21 21:15:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1860888, 1871219    
Bug Blocks: 1861064    

Description Cedric Buissart 2020-08-21 15:56:02 UTC
By default, authselect configures pam-u2f such as if a user's configuration file can not be read, the 2nd factor will be ignored and only the password will be taken into account.

This is an issue in SELinux environments, where SELinux runs in enforcing mode and prevents pam-u2f to read the user's configuration due to missing policies.

Comment 2 Cedric Buissart 2020-08-21 15:56:08 UTC

To manually permit the read of the config file, the file's SELinux context can be modified :
For example, for a given user '<USER>' :
# chcon -R -t auth_home_t ~<USER>/.config/Yubico

Comment 4 Cedric Buissart 2020-08-21 15:59:38 UTC
Created selinux-policy tracking bugs for this issue:

Affects: fedora-all [bug 1871219]

Comment 5 Product Security DevOps Team 2020-08-21 21:15:20 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 6 Cedric Buissart 2020-08-24 18:57:45 UTC

Name: Dietmar Lippold

Comment 7 Cedric Buissart 2020-08-25 07:11:49 UTC
External References:


Comment 8 Cedric Buissart 2020-08-25 07:12:50 UTC
Upstream fix:
* Add file context for ~/.config/Yubico 

Comment 10 Cedric Buissart 2020-09-07 15:31:47 UTC

Red Hat Enterprise Linux is not affected by this issue as it does not ship pam-u2f.

In Fedora, updating the package does not trigger a relabeling of the users' pre-existing 2nd factor configuration (including root), and such may need to be manually updated, using the `fixfiles onboot` command, followed by a reboot (or by applying the mitigation).