Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-23013
CVE-2025-23013:
Linux Debian vulnerability analysis and mitigation
Overview
CVE-2025-23013 affects Yubico pam-u2f before version 1.3.1, a Pluggable Authentication Module (PAM) that enables authentication using YubiKey or other FIDO compliant authenticators on macOS and Linux systems. The vulnerability was discovered in January 2025 and allows for local privilege escalation through authentication bypass in certain configurations (Yubico Advisory, NVD).
Technical details
The vulnerability stems from improper handling of PAMIGNORE return values in the pamsmauthenticate() function. The issue occurs in multiple scenarios including gethostname() errors, memory allocation failures in strdup() or calloc(), resolveauthfilepath() failures, and when pammodutildroppriv() or pammodutilregain_priv() fail. The vulnerability has a CVSS v4.0 score of 7.3 (HIGH) with vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (OSS Security).
Impact
The vulnerability can lead to authentication bypass in two main scenarios: In second-factor authentication configurations, it allows login without providing the second factor, and in password-less authentication setups, it could enable login without any authentication if certain conditions are met. This particularly affects systems where pam-u2f is used for privileged access control through sudo or su (Security Online).
Mitigation and workarounds
The vulnerability has been fixed in pam-u2f version 1.3.1. For systems that cannot immediately upgrade, a temporary workaround can be implemented by modifying the PAM stack configuration to: 'auth [success=ok default=bad] pamu2f.so [...]'. This ensures that PAMIGNORE returns are treated as authentication failures. The fix changes problematic PAMIGNORE return values to others that mark authentication as failed, such as PAMBUFERR for memory allocation errors or PAMABORT for other critical errors (OSS Security).
Community reactions
The vulnerability was responsibly disclosed to Yubico security team on November 20, 2024. Yubico acknowledged the issue and worked on a fix, leading to a coordinated release on January 14, 2025. The disclosure process included collaboration between the security researcher and Yubico to improve the suggested bugfix (OSS Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management