CVE Vulnerabilities

CVE-2020-24612

Improper Authentication

Published: Aug 24, 2020 | Modified: Sep 01, 2020
CVSS 3.x
4.7
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
1.9 LOW
AV:L/AC:M/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
4 MODERATE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Ubuntu
LOW

An issue was discovered in the selinux-policy (aka Reference Policy) package 3.14 through 2020-08-24 because the .config/Yubico directory is mishandled. Consequently, when SELinux is in enforced mode, pam-u2f is not allowed to read the users U2F configuration file. If configured with the nouserok option (the default when configured by the authselect tool), and that file cannot be read, the second factor is disabled. An attacker with only the knowledge of the password can then log in, bypassing 2FA.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Selinux-policy Fedoraproject 3.14 (including) 2020-08-24 (including)
Refpolicy Ubuntu bionic *
Refpolicy Ubuntu groovy *
Refpolicy Ubuntu hirsute *
Refpolicy Ubuntu impish *
Refpolicy Ubuntu kinetic *
Refpolicy Ubuntu lunar *
Refpolicy Ubuntu mantic *
Refpolicy Ubuntu trusty *
Refpolicy Ubuntu xenial *

Potential Mitigations

References