PAM-U2F Flaw Bypasses Hardware Token Authentication

The developers of Opensuse recently uncovered a vulnerability in the pam module pam-u2f, which is used in authentication through Yubikey tokens, Yubico Security Key, Yubihsm, and other FIDO devices supporting the protocol U2F (Universal 2nd Factor). This vulnerability is identified under the service cve-2025-23013. The flaw allows a user with local access to the system in certain PAM configurations to bypass authentication without inserting a hardware token. Typically, the PAM-U2F module is employed for two-factor or non-parallel authentication using tokens, such as confirming command powers through tools like SU and Sudo.

The vulnerability stems from an incorrect return value with the function pam_sm_authenticate() related to the Pam_ignore values. This value is erroneously returned in various error scenarios, including issues with Gethostname(), PAM_MODUTIL_DROP_PRIV(), pam_modutil_regain_priv(), resolve_authfile_path(), memory allocation problems in StrDup(), or calloc(). The concern lies in the fact that the Libpam library, upon receiving the PAM_ignore code from the PAM module, can misinterpret it as a successful authentication result (Pam_Success) if another PAM module had indeed authenticated successfully.

When the PAM-U2F module is used alongside Pam_unix for two-factor authentication, the vulnerability permits successful authentication if the password validation is successful, without needing to confirm the second factor. For non-wire authentication with the PAM-U2F hardware token, the flaw can be exploited in combination with the PAM_FailLOCK module, which restricts authentication attempts and erroneously returns PAM_SUCCESS if the attempt limit is not exceeded.

An example of how this vulnerability could be exploited is through a token bypass by a local privileged user executing commands using tools like Sudo and SU. By manipulating conditions such as exhausting available memory during command executions, an attacker could trigger the PAM-U2F module’s Pam_ignore, thus bypassing the second-factor authentication. The issue has been addressed in version pam-u2f 1.3.1.

/Reports, release notes, official announcements.