漏洞标题
N/A
漏洞描述信息
在selinux-policy(aka参考策略)包3.14中发现了一种问题,由于对.config/Yubico目录的错误处理,于2020年8月24日发现了该问题。因此,当SELinux处于强制模式时,pam-u2f不允许读取用户U2F配置文件。如果使用nouserok选项(authselect工具配置的默认选项),并且无法读取该文件,则第二个因素被禁用。只有知道密码的 attacker 才能登录,绕过2FA。
CVSS信息
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
An issue was discovered in the selinux-policy (aka Reference Policy) package 3.14 through 2020-08-24 because the .config/Yubico directory is mishandled. Consequently, when SELinux is in enforced mode, pam-u2f is not allowed to read the user's U2F configuration file. If configured with the nouserok option (the default when configured by the authselect tool), and that file cannot be read, the second factor is disabled. An attacker with only the knowledge of the password can then log in, bypassing 2FA.
CVSS信息
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
漏洞类别
N/A
漏洞标题
selinux-policy (aka Reference Policy) package 授权问题漏洞
漏洞描述信息
selinux-policy (aka Reference Policy) package 存在安全漏洞,攻击者可以利用该漏洞绕过2FA进而进行恶意操作,
CVSS信息
N/A
漏洞类别
授权问题