CVE-2020-24612

NameCVE-2020-24612
DescriptionAn issue was discovered in the selinux-policy (aka Reference Policy) package 3.14 through 2020-08-24 because the .config/Yubico directory is mishandled. Consequently, when SELinux is in enforced mode, pam-u2f is not allowed to read the user's U2F configuration file. If configured with the nouserok option (the default when configured by the authselect tool), and that file cannot be read, the second factor is disabled. An attacker with only the knowledge of the password can then log in, bypassing 2FA.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
refpolicy (PTS)stretch2:2.20161023.1-9fixed
buster2:2.20190201-2fixed
bullseye2:2.20210203-7fixed
bookworm2:2.20221101-9fixed
sid, trixie2:2.20241013-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
refpolicysource(unstable)(not affected)

Notes

- refpolicy <not-affected> (Debian package doesn't ship pam-u2f config)
https://bugzilla.redhat.com/show_bug.cgi?id=1860888
https://github.com/fedora-selinux/selinux-policy/commit/71e1989028802c7875d3436fd3966c587fa383fb

Search for package or bug name: Reporting problems