CVE-2025-53013
BaseFortify
Publication date: 2025-06-26
Last updated on: 2025-08-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Himmelblau authentication system used on Linux hosts with Microsoft Azure Entra ID and Intune integration. It allows a user to authenticate locally using an invalid Linux Hello PIN when the host is offline. The root cause is a logic error in the function acquire_token_by_hello_for_business_key, which expects a TPMFail error for invalid Hello keys but instead receives a RequestFailed error from a nonce request. This causes the system to incorrectly allow offline authentication without properly validating the Hello key. Although the user gains local access, Single Sign-On (SSO) fails due to network unavailability. The issue is fixed in version 0.9.17, and a workaround is to disable Hello PIN authentication. [3, 1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with physical access to a Linux host using Himmelblau to gain local system access by authenticating with an invalid Hello PIN when the system is offline. While the attacker can access the local system, Single Sign-On (SSO) functionality will fail due to the inability to issue tokens without network connectivity. The impact includes a low confidentiality loss but a high integrity compromise, meaning unauthorized users could potentially perform actions on the system they should not be able to. Availability is not affected. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system is running Himmelblau versions 0.9.10 through 0.9.16 and if Hello PIN authentication is enabled. Since the issue occurs when the host is offline and allows authentication with an invalid Hello PIN, you can test offline authentication attempts using invalid PINs to see if access is granted. Additionally, inspecting the configuration file /etc/himmelblau/himmelblau.conf for the setting enable_hello = true indicates Hello PIN authentication is enabled. There are no specific commands provided in the resources to detect the vulnerability directly, but verifying the Himmelblau version and configuration is essential. [3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should upgrade Himmelblau to version 0.9.17 or later, where the issue is fixed. If upgrading is not possible right away, you can disable Hello PIN authentication by setting enable_hello = false in the /etc/himmelblau/himmelblau.conf configuration file. This workaround prevents the vulnerability by disabling the affected authentication method. [3]