• Security advisory YSA-2018-03

    Security advisory 2018-08-03 – unchecked buffer in libykpiv

    Published date: 2018-08-08

    Tracking IDs: YSA-2018-03 

    CVE: CVE-2018-14779, CVE-2018-14780

    Summary

    Eric Sesterhenn of X41 D-Sec notified Yubico of a security issue in libykpiv, a supporting library of the Yubico PIV Tool, YubiKey PIV Manager, and Yubikey Smart Card Minidriver. This issue can allow an attacker with a custom made malicious USB device masquerading as a YubiKey, and physical access to a computer where the Yubico PIV Tool, YubiKey PIV Manager, or YubiKey Smart Card Minidriver is running, to potentially execute arbitrary code on that computer.

    It is not possible to perform this attack with a genuine YubiKey, however, we recommend updating all necessary software included below.

    Customer actions

    Yubico recommends that customers using affected versions of the tools update to the latest versions of each (see How to Tell if You Are Affected below). Libykpiv version 1.6.0 addresses the issue. Libykpiv is included in the command line Yubico PIV Tool, the GUI YubiKey PIV Manager, and the YubiKey Smart Card Minidriver. Versions that address this problem are now available.

    We also advise customers continue to exercise caution when utilizing any USB device of unknown origin.

    Issue details

    The Libykpiv library prior to version 1.6.0 contains an unchecked buffer, which could allow a buffer overflow. An attacker could use this to attempt to execute malicious code using a specifically crafted USB device masquerading as a YubiKey on a computer where the affected library is currently in use. It is not possible to perform this attack with a genuine YubiKey. In the case of Yubico PIV Tool and YubiKey PIV Manager, malicious code would execute with the same privileges as the user who runs the library. For affected versions of the YubiKey Smart Card Minidriver, malicious code would execute with System level privileges.  

    How to tell if you are affected

    If you are using a tool that includes a libykpiv version older than 1.6.0, you are affected and should upgrade the tool. Libykpiv is included in the Yubico PIV Tool, the YubiKey PIV Manager, and the YubiKey Smart Card Minidriver for Windows.

    Yubico PIV Tool

    If you have only installed the command line PIV tool you can verify the version with the  following command:

    $ yubico-piv-tool –version

    command line for piv tool

    If the version is lower than 1.6.0 you should update (Yubico PIV Tool).

    Yubico PIV Manager

    If you are using the PIV Manager GUI tool, the version of the tool can be found by clicking the Help menu in the upper left corner, then selecting About.

    PIV Manager GUI tool help settings
    about yubikey PIV manager

    If Library versions ykpiv is less than 1.6.0 you should update to YubiKey PIV Manager version 1.4.2f (YubiKey PIV Manager).

    Yubikey Smart Card Minidriver (Windows Only)

    If you are using the YubiKey Smart Card Minidriver:

    1. Open the Windows Device Manager (Start->Run->devmgmt.msc)

    2. From the device tree, select “Smart Cards”.  If this item isn’t present, you may have to select “Show Hidden Devices” from the View menu.

    YubiKey Smart Card Minidriver in Windows Device Manager


    3. Double click on “YubiKey Smart Card Minidriver” and select the Driver tab

    YubiKey smart card minidriver properties

    4. Observe the “Driver Version” field.  If it is less than 3.7.3.160 you are affected. (YubiKey Smart Card Minidriver)

    Downloads

    Download the latest version of Yubico PIV Tool here.

    Download the latest version of the YubiKey PIV Manager here.

    Download the latest version of the YubiKey Smart Card Minidriver here.

    Please note: the YubiKey Smart Card Minidriver is still undergoing Microsoft driver certification testing. The latest version available on 2018-08-08 is updated and signed by Yubico AB, but not yet signed by Microsoft. We will update this advisory when the Microsoft driver certification testing is complete and signed drivers are available.

    Severity

    Yubico has rated this issue as Moderate. For installations with only the PIV Tool or the PIV Manager, the base CVSS v3 score of 2.0. For installations with the Minidriver, the base CVSS score is 6.4.

    Timeline

    2018/05/22Eric Sesterhenn, from X41 D-Sec, informs Yubico of the issues and request an embargo until 2018-08-08.
    2018/08/08Yubico releases advisory YSA-2018-03 and updates to libykpiv / Yubico PIV Tool / YubiKey PIV Manager / Yubikey Smart Card Minidriver.