Fwd: Security vulnerability in fprintd

[Yaron Shahrabani]

Hi guys, I'm writing to this mailing list since I've already shared the
details with both Benjamin Berg and Marco Trevisan in private and we have
yet to come to a conclusion about this vulnerability.

My sudo is configured to approve access with pam_fprintd, this is the
config file:

#%PAM-1.0

auth            sufficient      pam_fprintd.so
auth            include         system-auth
account         include         system-auth
session         include         system-auth

So, unless I'm not already authenticated, running the following command:
sudo whoami
Replies with the following prompt:
Place your finger on the fingerprint reader

Placing my finger on the fingerprint reader leads to the following output:
root

The security concern is that this process can also happen behind the
scenes, so if I'm running a script that has a sudo prompt to delete
something I care about, I can accidentally place my fingerprint on the
fingerprint reader for any other reasons, and my beloved files will be
removed.

How to recreate the issue?
Open your favorite console app on Linux.
If it supports tabs open two tabs, if not just open another window.
On the first tab type: sudo whoami
Switch to the second tab and type: echo Place your finger on the
fingerprint reader;cat
Place your fingerprint on the fingerprint reader
Return to the first tab (You should see that the command was approved and
the output is root)

Assume the user was running some background process and didn't see the
fingerprint prompt from the other terminal. The second terminal might
somehow deceive the user into placing the finger on the fingerprint reader
and elevating permissions without the user being fully aware.

On Ubuntu, if I want to recreate the same configuration, all I have to do
is simply enroll my fingerprints in System Settings,
then install the pam-auth-update and select the Fingerprint authentication
from the selection screen (apt specific) as described in the following SO
thread:
https://askubuntu.com/questions/1015416/use-fingerprint-authentication-not-only-for-login

This problem was solved in macOS by simply displaying a window, and if the
window is out of focus, the fingerprint won't work.
Since we can't rely on any graphical window on Linux since it can be
terminal only, we need to somehow make sure that the user fingerprint is
used only for the sole purpose of the request and with full attention to
the specific action the fingerprint was requested for. Otherwise, the
fingerprint can be hijacked (just like clickjacking).

Benjamin was kind enough to respond and I allowed myself to summarize his
reply:
It can happen with fprintd as with any other external authentication method
(aside from password, we have Bluetooth proximity, NFC Tag, Smart Card,
etc.), so it is not unique to fprintd.
Benjamin also offered some ways to mitigate such as changing the
configuration or using pkexec instead of sudo.

I addressed this issue with the sudo maintainer, Todd C. Miller, and again
I allowed myself to summarize his response:
Although I understand the concern, I can't see any way to fix it without a
security attention mechanism.

CVSS 4.0 ranked this CVE as 7.3.

Thank you,
PS, I'm not a security researcher and I'm not affiliated with any
organization.
Yaron Shahrabani

<DevOps - Hebrew translator>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/fprint/attachments/20240519/ca36810c/attachment.htm>