Impact
The vulnerability arises because pam_usb reads its configuration file with xmlReadFile flags=0, allowing libxml2 to process external entity references. If the configuration file contains crafted entity definitions, the parsing process may cause outbound network connections or local file reads during authentication, potentially enabling an attacker who can write to pam_usb.conf to inject data or exfiltrate information. Because pam_usb is executed as a set‑uid helper for commands such as sudo or su, compromised configuration parsing could lead to privilege escalation or unauthorized data disclosure. This weakness is classified as CWE‑611 (XML External Entity (XXE) Processing).
Affected Systems
The affected product is pam_usb from the McDope project. All releases older than 0.9.2 are vulnerable. The configuration file pam_usb.conf is owned by root, so the attacker must first gain write permission to that file, but the set‑uid execution environment makes the potential impact significant if such access is achieved.
Risk and Exploitability
The CVSS score is 6.7, indicating moderate severity. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires crafting a malicious XML configuration and modifying pam_usb.conf, after which pam_usb.so will process the file as the root user during authentication. This attack vector is limited but viable in environments where the attacker can tamper with the root‑owned configuration file, such as systems with compromised local users or during supply‑chain attacks.
OpenCVE Enrichment