Executive Summary

The vulnerability exists in pam_usb versions prior to 0.9.1, which provides hardware authentication for Linux using ordinary removable media. Specifically, in the file src/evdev.c, the code silently ignores EACCES (permission denied) errors when trying to open /dev/input/event* device nodes. This causes the function pusb_has_virtual_input_device() to incorrectly report that no virtual input devices are found, even though the open() calls actually failed due to insufficient permissions.

Because of this, the caller in src/local.c cannot tell whether there truly are no virtual devices or if the scan failed due to permission issues. As a result, it treats the situation as if no virtual devices exist and continues the authentication process without denying access, potentially allowing unauthorized authentication.

This issue was fixed in version 0.9.1 of pam_usb.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an authentication bypass in pam_usb. Because the software fails to properly handle permission errors when checking for virtual input devices, it may incorrectly assume no such devices are present and proceed with authentication without proper verification.

This means an attacker might be able to gain unauthorized access to a system that relies on pam_usb for hardware-based authentication, potentially compromising system security.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade pam_usb to version 0.9.1 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes the pam_usb software to silently fail in detecting virtual input devices due to ignored permission errors, leading to a false sense of security.

As a result, security controls relying on this detection, such as remote_desktop_check, may be considered active when they are effectively disabled.

This silent failure can mask misconfigurations and reduce the effectiveness of authentication mechanisms, potentially leading to unauthorized access.

Such a failure in security controls could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require proper access controls and protection of sensitive data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking whether the pam_usb software's evdev scan function is silently ignoring permission denied (EACCES) errors when attempting to open /dev/input/event* device nodes.

To detect the issue, you can run pamusb-check as a non-root user who is not in the input group and observe if it falsely reports no virtual input devices found. If it does, this indicates the vulnerability is present because the function is unable to access the input devices due to permission issues but does not report this.

A practical approach is to manually check permissions on /dev/input/event* devices and attempt to open them as the user running pam_usb. For example, you can use the following commands:

• ls -l /dev/input/event* # Check device permissions
• groups # Check if the user is in the 'input' group
• sudo -u <non-root-user> pamusb-check # Run pamusb-check as a non-root user to see if it detects virtual input devices
• strace -e open pamusb-check # Trace open() system calls to see if EACCES errors occur when opening /dev/input/event*

If the scan returns no devices found (0) but open() calls fail with EACCES, this confirms the vulnerability is present. The fixed version (0.9.1 and later) will return a distinct error code (-1) and warn about permission issues.

Useful 0 Not Useful 0