Mulder

Name of the Vulnerable Software and Affected Versions: Himmelblau versions 0.9.10 through 0.9.16 Description: A vulnerability in Himmelblau allows a user to authenticate to a Linux host using an invalid Linux Hello PIN when the host is offline. This issue arises from an incorrect assumption in the `acquire token by hello for business key` function, which fails to return a `TPMFail` error for an invalid Hello key when offline. Instead, the system transitions to an offline success state without validating the Hello key unlock. This impacts systems using Himmelblau for authentication with Hello PIN authentication enabled when operating in an offline state. Recommendations: For Himmelblau versions 0.9.10 through 0.9.16, update to version 0.9.17 to resolve the issue. As a temporary workaround for users who cannot immediately upgrade, disable Hello PIN authentication by setting `enable hello = false` in `/etc/himmelblau/himmelblau.conf` to mitigate the vulnerability.