Executive Summary

The vulnerability exists in pam_usb versions prior to 0.9.0, specifically in the pusb_pad_compare() function. This function was supposed to verify both the user-side pad file (~/.pamusb/device.pad) and the system-side pad file on the USB device to authenticate a user. However, it only checked if the user-side pad was readable and did not enforce the presence or readability of the system-side pad on the USB device.

If the user-side pad file was deleted or unreadable, the function returned a failure that was treated as non-fatal in some code paths. This allowed a local user to bypass the USB device authentication requirement by deleting their own user-side pad file, enabling them to authenticate without the physical USB device.

This flaw effectively allows local users to circumvent hardware-based authentication controls.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a local user to bypass the hardware authentication mechanism that pam_usb provides. By deleting their own user-side pad file, the user can authenticate without needing the physical USB device that is supposed to be required.

As a result, unauthorized access could be gained if an attacker has local access to the system, potentially compromising system security by allowing authentication without the intended hardware token.

The CVSS score of 7.1 indicates a high severity impact on confidentiality and integrity, meaning sensitive information could be exposed or altered due to this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a local user to bypass hardware authentication by deleting their user-side pad file, enabling authentication without the physical USB device. This improper authentication weakness (CWE-287) could lead to unauthorized access to systems that rely on pam_usb for security.

Such unauthorized access risks compromising sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require strong access controls and protection of personal or health information.

Therefore, the vulnerability undermines the effectiveness of authentication controls, potentially leading to violations of regulatory requirements related to data confidentiality and access management.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the pam_usb software allowing authentication bypass if the user-side pad file (~/.pamusb/device.pad) is deleted or unreadable, while the system-side pad on the USB device is not verified. To detect if your system is vulnerable, you can check the version of pam_usb installed and verify if it is prior to 0.9.0, as the issue is fixed in version 0.9.0.

You can also check if the user-side pad file exists and is readable, and whether the system-side pad file on the USB device is present and readable. If the user-side pad file is missing or unreadable, the system may be vulnerable to authentication bypass.

Suggested commands to help detect this vulnerability include:

• Check pam_usb version: `pam_usb --version` or check package version via your package manager (e.g., `dpkg -l | grep pam_usb` or `rpm -q pam_usb`).
• Verify presence and permissions of user-side pad file: `ls -l ~/.pamusb/device.pad`
• Verify presence and permissions of system-side pad file on the USB device (replace /media/usb with your mount point): `ls -l /media/usb/device.pad`
• Attempt to authenticate with pam_usb and monitor logs for unexpected authentication successes when the user-side pad is missing.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade pam_usb to version 0.9.0 or later where the issue is fixed.

Until the upgrade can be performed, avoid relying solely on pam_usb authentication for security, as local users may bypass the USB device requirement by deleting their ~/.pamusb/device.pad file.

Useful 0 Not Useful 0