Vulnerability Management, Identity, Privileged access management

Evading 2FA possible with Yubico software module bug

January 21, 2025

Adobe Stock

Major hardware authentication security key provider Yubico has warned of a high-severity security issue impacting its pam-u2f software package for Yubikey and FIDO-compliant device integration, tracked as CVE-2025-23013, which could be exploited to facilitate partial evasion of two-factor authentication defenses in macOS and Linux devices, The Cyber Express reports.

Such a vulnerability — which stems from inadequate authentication flow management within the pam_sm_authenticate() function — is slightly more severe in configurations involving single-factor authentication with user-managed AuthFile, as well as the utilization of pam-u2f for single-factor authentication with other Pluggable Authentication Modules, compared with scenarios involving 2FA with a centrally managed AuthFile, according to Yubico. Organizations running pam-u2f prior to 1.3.1, especially those that used apt or manual means for pam-u2f installation in macOS and Linux systems, have been urged to immediately download the latest version of the software module to avoid potential compromise.

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.

Learn More

SC Staff

A 3D-Illustration of the word Linux on metallic cubes

Vulnerability Management

Linux kernel flaw added to CISA’s exploited vulnerabilities list

Steve ZurierFebruary 6, 2025

Flaw could let attackers escalate privileges on popular Google Android and Pixel devices.

Vulnerability Management

CISA: Actively exploited Linux kernel flaw requires immediate remediation

SC StaffFebruary 6, 2025

Such a vulnerability — which stems from a USB Video Class driver out-of-bounds write issue that could be exploited for privilege escalation — may have been used by forensic data extraction tools, according to the GrapheneOS development team.

Penetration Testing

How to prepare for an effective web application penetration test

Outpost 24February 6, 2025

At a time when data breaches and cyberattacks dominate headlines, web application security is top on the minds of IT leaders. By performing regular web application pen tests, possible vulnerabilities can be uncovered and steps taken to fortify your defenses. In this post, we'll discuss the importance of preparing for a pen test, the items that should be on your pen test checklist, and how to foster close collaboration with your pen testing team.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

Evading 2FA possible with Yubico software module bug

An In-Depth Guide to Identity

Related

Linux kernel flaw added to CISA’s exploited vulnerabilities list

CISA: Actively exploited Linux kernel flaw requires immediate remediation

How to prepare for an effective web application penetration test

Related Events

Balancing Act: Prioritizing Vulnerabilities and Misconfigurations in Vulnerability Management

CISO Perspectives to Improve/Optimize Vulnerability Management

Exposure management: How organizations can use it to build cyber resilience

Get daily email updates