CVE-2021-31924

Name of the Vulnerable Software and Affected Versions Yubico pam-u2f versions prior to 1.1.1

Description The issue is related to a logic problem in pam-u2f that could lead to a local PIN bypass, depending on the pam-u2f configuration and the application used. This does not allow user presence or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed.

Recommendations For versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue. As a temporary workaround, consider configuring the application to not allow NULL as the PIN, or restrict access to the pam-u2f module to minimize the risk of exploitation.