Executive Summary

The vulnerability exists in pam_usb, a tool that provides hardware authentication for Linux using removable media. Before version 0.8.7, if a crafted UUID containing malicious code (e.g., $(id>/tmp/rce)) is placed in the configuration, it can lead to root remote code execution (RCE) when the command pamusb-conf --reset-pads is run.

Additionally, a USB device with a specially crafted filesystem UUID can inject this malicious payload during the --add-device process. Another issue is that the userName from the XML configuration is passed directly to os.system() in pamusb-agent, which executes a shell command, further enabling code execution.

This vulnerability was fixed in version 0.8.7 of pam_usb.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with physical access to a system to execute arbitrary code with root privileges by using a specially crafted USB device or configuration.

The impact includes complete compromise of the affected system, allowing the attacker to gain full control, access sensitive data, modify system configurations, or disrupt system operations.

Because the attack requires local access and involves physical devices, it is a high-severity risk in environments where USB devices are used for authentication.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade pam_usb to version 0.8.7 or later, where the issue is fixed.

Avoid running pamusb-conf --reset-pads or adding USB devices with crafted filesystem UUIDs until the upgrade is applied.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows for root remote code execution (RCE) via crafted UUIDs and user input passed to shell commands, potentially leading to full system compromise.

Such a compromise could result in unauthorized access to sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and health information.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the system is running pam_usb versions 0.8.6 or below, which are vulnerable to shell injection via crafted UUIDs or usernames in the pam_usb configuration.

To detect potential exploitation or presence of malicious crafted UUIDs, you can inspect the UUIDs of USB devices and the pam_usb configuration files for suspicious shell metacharacters such as $(), backticks, or other command injection patterns.

• Check the pam_usb version installed: `pamusb-conf --version` or check package manager info.
• List USB devices and their UUIDs to identify any suspicious or crafted UUIDs: `lsblk -o NAME,UUID` or `blkid`.
• Inspect pam_usb configuration files (usually XML) for suspicious entries in device UUIDs or usernames containing shell metacharacters, e.g., `grep -E '\$\(|`' /etc/pam_usb/*.xml`.
• Check for unexpected files created by exploitation attempts, such as `/tmp/rce`.

Note that exploitation requires running commands like `pamusb-conf --reset-pads` or adding a device, so monitoring command usage or audit logs for these commands may also help detect attempts.

Useful 0 Not Useful 0