CVE-2019-12209 – CVE-2019-12209 is a symlink vulnerability in Yu... (How to Fix)

Q: What is the severity of CVE-2019-12209?

CVE-2019-12209 has a CVSS score of 7.5 (HIGH). CVE-2019-12209 is a symlink vulnerability in Yubico pam-u2f 1.0.7 that allows local attackers to read arbitrary files owned by root when debug logging is enabled. The vulnerability occurs because the PAM module parses the authentication file as root without properly verifying symlinks. This affects systems using pam-u2f for two-factor authentication with the default configuration.

📋 TL;DR

CVE-2019-12209 is a symlink vulnerability in Yubico pam-u2f 1.0.7 that allows local attackers to read arbitrary files owned by root when debug logging is enabled. The vulnerability occurs because the PAM module parses the authentication file as root without properly verifying symlinks. This affects systems using pam-u2f for two-factor authentication with the default configuration.

💻 Affected Systems

Products:

Yubico pam-u2f

Versions: Version 1.0.7 specifically (and possibly earlier versions with similar symlink handling)

Operating Systems: Linux systems using PAM authentication with pam-u2f module

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when debug option is enabled in PAM configuration and openasuser is not enabled. Default authfile location is $HOME/.config/Yubico/u2f_keys.

📦 What is this software?

Pam U2f by Yubico

View all CVEs affecting Pam U2f →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Root-owned sensitive files (like /etc/shadow, SSH keys, configuration files) could be read and logged, potentially leading to credential theft or privilege escalation.

🟠

Likely Case

Local users can read portions of root-owned files that get logged when debug mode is enabled, potentially exposing sensitive configuration data or credentials.

🟢

If Mitigated

With openasuser enabled or debug logging disabled, the impact is limited as the file would be parsed as the user or no sensitive data would be logged.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: MEDIUM - Internal users with shell access could exploit this to read sensitive root-owned files if debug logging is enabled.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to create symlinks and trigger PAM authentication. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.0.8 and later

Vendor Advisory: https://developers.yubico.com/pam-u2f/Release_Notes.html

Restart Required: No

Instructions:

1. Update pam-u2f to version 1.0.8 or later using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install libpam-u2f. 3. For RHEL/CentOS: sudo yum update pam-u2f. 4. Verify the update with pamu2fcfg --version.

🔧 Temporary Workarounds

Disable debug logging

linux

Remove or comment out debug option in PAM configuration files using pam-u2f

sudo sed -i 's/\bdebug\b//g' /etc/pam.d/*
sudo sed -i 's/\bdebug\b//g' /etc/pam.d/*.d/*

Enable openasuser option

linux

Add openasuser option to pam-u2f configuration to parse authfile as the user instead of root

sudo sed -i 's/pam_u2f.so/pam_u2f.so openasuser/g' /etc/pam.d/*
sudo sed -i 's/pam_u2f.so/pam_u2f.so openasuser/g' /etc/pam.d/*.d/*

🧯 If You Can't Patch

Disable debug logging in all PAM configurations using pam-u2f
Enable openasuser option in pam-u2f PAM configurations

🔍 How to Verify

Check if Vulnerable:

Check if pam-u2f version is 1.0.7 or earlier and debug option is enabled in PAM configs: grep -r 'pam_u2f.so.*debug' /etc/pam.d/

Check Version:

pamu2fcfg --version 2>/dev/null || dpkg -l | grep libpam-u2f || rpm -q pam-u2f

Verify Fix Applied:

Verify pam-u2f version is 1.0.8 or later: pamu2fcfg --version | grep -q '1\.0\.[8-9]\|1\.[1-9]' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

Debug logs containing unexpected file contents in /var/log/auth.log or /var/log/secure
Authentication attempts with unusual authfile paths

Network Indicators:

None - this is a local file system vulnerability

SIEM Query:

source="*auth.log" OR source="*secure" AND ("pam_u2f" AND "debug") AND ("shadow" OR "passwd" OR "/etc/" in message)

📊 Metadata

CVE ID: CVE-2019-12209

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-59

Published: June 4, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html
http://www.openwall.com/lists/oss-security/2019/06/05/1 Exploit,Mailing List,Third Party Advisory
https://developers.yubico.com/pam-u2f/Release_Notes.html Release Notes,Vendor Advisory
https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3 Patch,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5FOR4ADC356JPCHAJI5UXZORLC3VNBPS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCGU6UQLI3ZTW3UYCTMQW7VDL5M4LCWR/
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html
http://www.openwall.com/lists/oss-security/2019/06/05/1 Exploit,Mailing List,Third Party Advisory
https://developers.yubico.com/pam-u2f/Release_Notes.html Release Notes,Vendor Advisory
https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3 Patch,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5FOR4ADC356JPCHAJI5UXZORLC3VNBPS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCGU6UQLI3ZTW3UYCTMQW7VDL5M4LCWR/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-12209, you might also want to check these: