Bug 1871217 (CVE-2020-24612) - CVE-2020-24612 selinux-policy: SELinux prevents pam-u2f to work correctly, disabling the 2nd factor during authentication
Summary: CVE-2020-24612 selinux-policy: SELinux prevents pam-u2f to work correctly, di...
Alias: CVE-2020-24612
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1860888 1871219
Blocks: 1861064
TreeView+ depends on / blocked
Reported: 2020-08-21 15:56 UTC by Cedric Buissart
Modified: 2021-02-16 19:26 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that when SELinux works in enforced mode, pam-u2f is not allowed to read the user's U2F configuration file. If configured with 'nouserok' option, which is the default when configured with the authselect tool, if that file cannot be read, the 2nd factor is disabled. So in such a configuration, an attacker with only the knowledge of the password can log in without the need for the 2nd factor.
Clone Of:
Last Closed: 2020-08-21 21:15:20 UTC

Attachments (Terms of Use)

Description Cedric Buissart 2020-08-21 15:56:02 UTC
By default, authselect configures pam-u2f such as if a user's configuration file can not be read, the 2nd factor will be ignored and only the password will be taken into account.

This is an issue in SELinux environments, where SELinux runs in enforcing mode and prevents pam-u2f to read the user's configuration due to missing policies.

Comment 2 Cedric Buissart 2020-08-21 15:56:08 UTC

To manually permit the read of the config file, the file's SELinux context can be modified :
For example, for a given user '<USER>' :
# chcon -R -t auth_home_t ~<USER>/.config/Yubico

Comment 4 Cedric Buissart 2020-08-21 15:59:38 UTC
Created selinux-policy tracking bugs for this issue:

Affects: fedora-all [bug 1871219]

Comment 5 Product Security DevOps Team 2020-08-21 21:15:20 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 6 Cedric Buissart 2020-08-24 18:57:45 UTC

Name: Dietmar Lippold

Comment 7 Cedric Buissart 2020-08-25 07:11:49 UTC
External References:


Comment 8 Cedric Buissart 2020-08-25 07:12:50 UTC
Upstream fix:
* Add file context for ~/.config/Yubico 

Comment 10 Cedric Buissart 2020-09-07 15:31:47 UTC

Red Hat Enterprise Linux is not affected by this issue as it does not ship pam-u2f.

In Fedora, updating the package does not trigger a relabeling of the users' pre-existing 2nd factor configuration (including root), and such may need to be manually updated, using the `fixfiles onboot` command, followed by a reboot (or by applying the mitigation).

Note You need to log in before you can comment on or make changes to this bug.