Yubico security advisory confirms 2FA bypass vulnerability.
Update, January 18, 2025: This story, originally published on January 17, now includes further information about CVE-2025-23013 and clarifications from Yubico about the severity rating.
Two-factor authentication has become more and more of a security essential over the past few years, so when news of anything that can bypass those 2FA protections breaks, it’s not something you can ignore. Be it the constant hacking attack that Google users face, the malicious Chrome extensions, or the Rockstar bypasses that affect Microsoft users. Now, Yubico has thrown its hat into the 2FA bypass ring with a security advisory that has confirmed a bypass vulnerability in a software module used to support logging into Linux or macOS using a YubiKey or other FIDO authenticators. Here’s what you need to know.
Yubico 2FA Security Advisory YSA-2025-01
Yubico is most likely the first name that comes to mind when you think of two-factor authentication hardware keys and other secure authentication solutions. And for good reason: it’s been leading the market in the field of primary hardware resources for as long as I can remember, and I’ve been in the cyber security business for many decades. So when Yubico issues a security advisory, I tend to take note, and if you’re a Yubico customer, you should too.
Yubico Security Advisory Reference YSA-2025-01 relates to a partial authentication bypass in the pam-u2f socket authentication module software package that can be deployed to support the YubiKey on macOS or Linux platforms.
According to the advisory, pam-u2f packages before version 1.3.1 are vulnerable to a vulnerability that could enable an authentication bypass in some configurations. “An attacker would require the ability to log into the system as an unprivileged user,” Yubico explained, and, depending on the configuration, “the attacker may also need to know the user’s password.”
Yubico Details Sample Attack Scenarios
“A key differentiator between the scenarios is the location of the authorization file,” (the argument itself is called authfile) said Yubico, explaining that the path to the authorization file is configured via an argument to pam-u2f in the PAM stack stored under /etc/ pam or /etc/pam.d. Yubico has detailed several example scenarios involving copyright file management at the heart of the issue, including:
When a user-managed author file stored in the user’s home directory is combined with pam-u2f used as a single-factor authentication method and the “nouserok” option enabled, an attacker can remove or corrupt the file of the author and force pam- The u2f module to return PAM_SUCCESS. “This would lead to escalation of local privileges if the user is authorized to do sudo,” Yubico said.
With a centrally managed authentication file, where a file cannot be modified without elevated privileges, and assuming that pam-u2f is used as a second factor authentication method in combination with a user password, Yubico said, an attacker may “attempt to freeze memory. system by allocating large amounts of memory and causing a memory allocation error within pam-u2f.” If successful, the second factor will no longer be verified during an authentication event.
Yubico said no YubiKey hardware has been affected by the 2FA bypass issue
Yubico confirmed that no hardware is affected by this vulnerability, meaning the issue does not affect any “previous or current generation YubiKey Series, YubiKey FIPS Series, Security Key Series, YubiHSM, or FIPS YubiHSM devices.”
Yubico CVE-2025-23013 vulnerability explained
The vulnerability in question, CVE-2025-23013, is classified as high severity and means that in some scenarios where memory cannot be allocated or the module cannot change privileges, it “does not contribute to the final authentication decision made by PAM “. What this means is that a second or primary authentication factor, depending on the specific use case, will no longer be verified. “A key differentiator between scripts is the location of the author file,” Yubico said.
Yubico recommends that affected customers upgrade to the latest version of pam-u2f by either downloading directly from GitHub or obtaining the latest update via the Yubico PPA.
I reached out to Yubico for a statement. “We can confirm that Yubico was informed by researchers that an issue was discovered in its open source pam-u2f software package,” a Yubico spokesperson said, “this software issue does not affect YubiKeys or YubiHSM.”
