Security Advisory 2018-08-08 – Unchecked Buffer in libykpiv

Tracking IDs: YSA-2018-03, CVE-2018-14779, CVE-2018-14780

Summary

Eric Sesterhenn of X41 D-Sec notified Yubico of a security issue in libykpiv, a supporting library of the Yubico PIV Tool, YubiKey PIV Manager, and Yubikey Smart Card Minidriver. This issue can allow an attacker with a custom made malicious USB device masquerading as a YubiKey, and physical access to a computer where the Yubico PIV Tool, YubiKey PIV Manager, or YubiKey Smart Card Minidriver is running, to potentially execute arbitrary code on that computer.

It is not possible to perform this attack with a genuine YubiKey, however, we recommend updating all necessary software included below.

Customer Actions

Yubico recommends that customers using affected versions of the tools update to the latest versions of each (see How to Tell if You Are Affected below). Libykpiv version 1.6.0 addresses the issue. Libykpiv is included in the command line Yubico PIV Tool, the GUI YubiKey PIV Manager, and the YubiKey Smart Card Minidriver. Versions that address this problem are now available.

We also advise customers continue to exercise caution when utilizing any USB device of unknown origin.

Issue Details

The Libykpiv library prior to version 1.6.0 contains an unchecked buffer, which could allow a buffer overflow. An attacker could use this to attempt to execute malicious code using a specifically crafted USB device masquerading as a YubiKey on a computer where the affected library is currently in use. It is not possible to perform this attack with a genuine YubiKey. In the case of Yubico PIV Tool and YubiKey PIV Manager, malicious code would execute with the same privileges as the user who runs the library. For affected versions of the YubiKey Smart Card Minidriver, malicious code would execute with System level privileges.  

How To Tell If You Are Affected

If you are using a tool that includes a libykpiv version older than 1.6.0, you are affected and should upgrade the tool. Libykpiv is included in the Yubico PIV Tool, the YubiKey PIV Manager, and the YubiKey Smart Card Minidriver for Windows.

Yubico PIV Tool

If you have only installed the command line PIV tool you can verify the version with the  following command:

$ yubico-piv-tool –version

If the version is lower than 1.6.0 you should update (Yubico PIV Tool).

Yubico PIV Manager

If you are using the PIV Manager GUI tool, the version of the tool can be found by clicking the Help menu in the upper left corner, then selecting About.

If Library versions ykpiv is less than 1.6.0 you should update to YubiKey PIV Manager version 1.4.2f (YubiKey PIV Manager).

Yubikey Smart Card Minidriver (Windows Only)

If you are using the YubiKey Smart Card Minidriver:

  1. Open the Windows Device Manager (Start->Run->devmgmt.msc)
  2. From the device tree, select “Smart Cards”.  If this item isn’t present, you may have to select “Show Hidden Devices” from the View menu.

  3. Double click on “YubiKey Smart Card Minidriver” and select the Driver tab.

  4. Observe the “Driver Version” field.  If it is less than 3.7.3.160 you are affected. (YubiKey Smart Card Minidriver)

Downloads

Download the latest version of Yubico PIV Tool here.

Download the latest version of the YubiKey PIV Manager here.

Download the latest version of the YubiKey Smart Card Minidriver here.

Please note: the YubiKey Smart Card Minidriver is still undergoing Microsoft driver certification testing. The latest version available on 2018-08-08 is updated and signed by Yubico AB, but not yet signed by Microsoft. We will update this advisory when the Microsoft driver certification testing is complete and signed drivers are available.

Severity

Yubico has rated this issue as Moderate. For installations with only the PIV Tool or the PIV Manager, the base CVSS v3 score of 2.0. For installations with the Minidriver, the base CVSS score is 6.4.

Timeline

2018-05-22 Eric Sesterhenn, from X41 D-Sec, informs Yubico of the issues and request an embargo until 2018-08-08.
2018-08-08 Yubico releases advisory YSA-2018-03 and updates to libykpiv / Yubico PIV Tool / YubiKey PIV Manager / Yubikey Smart Card Minidriver.