Executive Summary

The vulnerability exists in pam_usb versions prior to 0.9.0, which provides hardware authentication for Linux using removable media. The issue is in the deny_remote feature that attempts to detect if an authentication request is from a remote session by checking only the first 32-bit word of a 128-bit IPv6 address field (ut_addr_v6[0]). However, IPv4-mapped IPv6 addresses store the IPv4 address in a different part of this field (ut_addr_v6[3]) with ut_addr_v6[0] equal to zero. On systems where SSH listens on all interfaces (IPv6 wildcard) and records incoming IPv4 connections as IPv4-mapped IPv6 addresses, the check incorrectly treats remote SSH sessions as local. This allows an attacker with physical access to a registered USB device to authenticate over SSH as if they were local, bypassing the deny_remote restriction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker who has physical access to a registered USB authentication device to remotely authenticate over SSH on an affected system as if they were physically present at the local terminal. This bypasses the intended deny_remote restriction, potentially giving unauthorized remote access with high confidentiality and integrity impact, as indicated by the CVSS score.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade pam_usb to version 0.9.0 or later, where the issue with the deny_remote feature is fixed.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in pam_usb allows an attacker with physical access to a registered USB device to bypass the deny_remote restriction and authenticate over SSH as if they were at a local terminal. This improper access control flaw (CWE-284) impacts confidentiality and integrity by allowing unauthorized remote access.

Such unauthorized access could lead to violations of compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict controls over access to sensitive data and systems to protect confidentiality and integrity.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to failure to adequately restrict remote access and protect sensitive information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises because pam_usb versions prior to 0.9.0 incorrectly classify IPv4-mapped IPv6 remote SSH sessions as local, bypassing the deny_remote restriction. Detection involves identifying if your system is running a vulnerable pam_usb version (0.8.6 or earlier) and if SSH is configured to listen on the IPv6 wildcard (::) with AddressFamily set to any.

To detect the vulnerability on your system, you can:

• Check the installed pam_usb version: `pam_usb --version` or check package manager info to confirm if it is older than 0.9.0.
• Inspect your SSH daemon configuration file (usually `/etc/ssh/sshd_config`) for the `AddressFamily` setting. If it is set to `any` or includes IPv6 wildcard (::), your system may be affected.
• Monitor active SSH sessions and their recorded addresses in the utmpx database to see if IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) are present, which could indicate the bypass scenario.

Example commands:

• Check pam_usb version: `pam_usb --version` or `dpkg -l | grep pam_usb` (Debian/Ubuntu) or `rpm -qi pam_usb` (RedHat/CentOS).
• Check SSH AddressFamily setting: `grep -i AddressFamily /etc/ssh/sshd_config`
• List current SSH sessions and their IP addresses: `who` or `w` commands, then cross-check if IPv4-mapped IPv6 addresses appear.
• Examine utmpx entries directly (requires programming or specialized tools) to verify if ut_addr_v6 fields contain IPv4-mapped IPv6 addresses.

Useful 0 Not Useful 0