Yubico PAM Module Vulnerability Let Attackers Bypass Authentications In Certain Configurations
A leading provider of hardware authentication security keys, Yubico has recently disclosed a significant vulnerability in its PAM (Pluggable Authentication Module) software package. The flaw was identified as “CVE-2025-23013,” could potentially allow attackers to evade the authentication in certain configurations. The security issue affects the “pam-u2f” software package versions prior to 1.3.1. This open-source module […] The post Yubico PAM Module Vulnerability Let Attackers Bypass Authentications In Certain Configurations appeared first on Cyber Security News.
A leading provider of hardware authentication security keys, Yubico has recently disclosed a significant vulnerability in its PAM (Pluggable Authentication Module) software package.
The flaw was identified as “CVE-2025-23013,” could potentially allow attackers to evade the authentication in certain configurations.
The security issue affects the “pam-u2f” software package versions prior to 1.3.1.
This open-source module is designed to support authentication using YubiKeys or other FIDO-compliant authenticators on macOS and Linux systems.
Researchers at Yubico noted all the key points of the vulnerability:-
- The flaw resides in the implementation of the pam_sm_authenticate() function.
- Under specific conditions, such as memory allocation failures or privilege change issues, the module returns PAM_IGNORE.
- When PAM_IGNORE is returned, the module does not contribute to the final authentication decision.
- In configurations with the “nouserok” option enabled, PAM_SUCCESS is returned if the pam-u2f file is missing or corrupted.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Impact and Severity
Yubico has rated this vulnerability as “High” with a CVSS score of 7.3. The impact varies depending on the specific configuration:-
- In scenarios where pam-u2f is used as a single-factor authentication method with user-managed authfiles, attackers could potentially achieve local privilege escalation.
- For centrally managed authfiles with pam-u2f as a second-factor authentication, the second factor might be bypassed during authentication events.
Yubico strongly recommends that affected customers take the following actions:-
- Upgrade to the latest version of pam-u2f, either by downloading directly from GitHub or updating via the Yubico PPA.
- For libpam users, an alternative solution is to disable the “nouserok” option and mark “ignore” control values with the action “bad” for all pam-u2f references in the PAM stack.
It’s important to note that no Yubico hardware devices are affected by this vulnerability. This includes all generations of:-
- YubiKey Series
- YubiKey FIPS Series
- Security Key Series
- YubiHSM
- YubiHSM FIPS devices
The vulnerability was responsibly disclosed to Yubico by Matthias Gerstner from the SUSE security team on November 11, 2024. Yubico has since worked promptly to address the issue and release this advisory.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
The post Yubico PAM Module Vulnerability Let Attackers Bypass Authentications In Certain Configurations appeared first on Cyber Security News.
