CVE-2018-9275 in Yubico PAM Module
Summary
by MITRE
In check_user_token in util.c in the Yubico PAM module (aka pam_yubico) 2.18 through 2.25, successful logins can leak file descriptors to the auth mapping file, which can lead to information disclosure (serial number of a device) and/or DoS (reaching the maximum number of file descriptors).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/27/2023
The vulnerability identified as CVE-2018-9275 affects the Yubico PAM module version 2.18 through 2.25, specifically within the check_user_token function in the util.c file. This represents a critical security flaw that impacts the authentication process on systems utilizing Yubico authentication tokens. The issue stems from improper handling of file descriptors during the authentication workflow, creating a potential information disclosure vector that could expose sensitive device information to unauthorized parties.
The technical flaw manifests when the check_user_token function processes user authentication requests and fails to properly close file descriptors associated with the authentication mapping file. This occurs during successful login operations where the system maintains open file handles to the auth mapping file that contains device serial numbers and other authentication-related data. The improper resource management allows these file descriptors to remain open and accessible to subsequent authentication attempts, creating a pathway for information leakage. This vulnerability operates under the CWE-472 threat model, specifically addressing insecure direct object references where the system's file descriptor management creates predictable access patterns.
The operational impact of this vulnerability extends beyond simple information disclosure to include potential denial of service conditions. When multiple successful authentications occur without proper file descriptor cleanup, the system gradually consumes available file descriptor resources. This progressive consumption can eventually lead to reaching the maximum number of file descriptors allowed per process, causing subsequent authentication attempts to fail and effectively denying service to legitimate users. The vulnerability aligns with ATT&CK technique T1566, which covers credential access through exploitation of authentication mechanisms, and T1499, which addresses denial of service through resource exhaustion.
The exposure of serial numbers through this information disclosure vulnerability poses significant security risks as these identifiers can be used for tracking and correlation attacks. Attackers could potentially map multiple authentication events to specific devices, enabling them to track user behavior patterns or conduct targeted attacks against particular authentication tokens. The vulnerability affects systems where Yubico PAM modules are deployed for two-factor authentication, making it particularly concerning for environments requiring robust authentication security. Organizations utilizing this module should implement immediate mitigations including updating to patched versions, monitoring for unusual authentication patterns, and implementing proper file descriptor management practices to prevent resource exhaustion attacks.