CVE-2021-31924: 
Homebrew vulnerability analysis and mitigation

Yubico pam-u2f before version 1.1.1 contains a logic issue (CVE-2021-31924) discovered in May 2021 that could lead to a local PIN bypass depending on the pam-u2f configuration and application used. The vulnerability affects the PAM module that provides authentication over U2F and FIDO2 for YubiKey and other FIDO-compliant authenticators (NVD, Yubico Advisory).

The vulnerability stems from a logic flaw in how pam-u2f handles PIN authentication. If pam-u2f is configured to require PIN authentication and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN verification. If this authentication succeeds, the PIN requirement is bypassed. The vulnerability has a CVSS v3.1 score of 6.8 (Medium) (NVD, Yubico Advisory).

While this vulnerability allows bypassing the PIN requirement, it does not compromise other security measures. An attacker would still need physical possession of and interaction with the YubiKey or enrolled authenticator, as user presence (touch) and cryptographic signature verification cannot be bypassed. The vulnerability primarily affects users relying on PIN authentication with pam-u2f version 1.1.0 (Yubico Advisory).

The recommended mitigation is to upgrade to pam-u2f version 1.1.1 or later, which addresses this vulnerability. No alternative workarounds are available (Gentoo Security, Yubico Advisory).

The vulnerability was reported by Kamil Jońca on April 23, 2021, and Yubico released the advisory YSA-2021-03 on May 19, 2021. Various Linux distributions including Fedora and Gentoo have released security updates to address this vulnerability (Fedora Update, Gentoo Security).