• Security advisory YSA-2019-01

    Security advisory YSA-2019-01 – unchecked buffer in libu2f-host

    Published date: 2019-02-08
    Tracking IDs: YSA-2019-01
    CVE: CVE-2018-20340

    Summary

    Yubico library libu2f-host prior to version 1.1.7 contains an unchecked buffer, which could allow a buffer overflow. Libu2f-host is a library that implements the host party of the U2F protocol. This issue can allow an attacker with a custom made malicious USB device masquerading as a security key, and physical access to a computer where PAM U2F or an application with libu2f-host integrated, to potentially execute arbitrary code on that computer. Users of the YubiKey PAM U2F Tool are the most impacted since the arbitrary code could execute with elevated privileges.

    It is not possible to perform this attack with genuine YubiKey devices and users utilizing a browser implementation of U2F are not affected by this issue.

    User actions

    The affected library is included in a variety of applications. We recommend updating all affected software listed below.

    How to tell if you are affected – Yubico software

    Affected Yubico softwarePlatformSteps to mitigate
    YubiKey NEO ManagerWindows
    Linux
    MacOS
    Use YubiKey Manager in place of YubiKey NEO Manager
    PAM U2F toolLinux
    MacOS
    Update the libu2f-host libraryDownload from the Yubico Developer Program site
    Build according to the instructions on the libu2f-host page

    How to tell if you’re affected – non-Yubico software

    Libu2f-host is an open source implementation of U2F that is made available for solution providers to incorporate for U2F in their products. Software that uses libu2f-host prior to version 1.1.7 could be affected by this issue. Yubico recommends that developers who use libu2f-host in their products update to the latest version of libu2f-host. Libu2f-host version 1.1.7 or above addresses the issue.

    In order to determine if a U2F application is using a vulnerable version of libu2f-host, users of U2F enabled software applications may execute the platform specific instructions below.  

    Because these methods can have varying degrees of accuracy depending on the design of the application, Yubico encourages users to contact U2F application providers directly to find out if the application is impacted and, if so, whether an update is available.

    PlatformInstructions
    Linux1. To see if libu2f-host is installed in the library path use the ldconfig command:
    $ /sbin/ldconfig -p|grep libu2f-host
    libu2f-host.so.0 (libc6,x86-64) => /usr/local/lib/libu2f-host.so.0
    libu2f-host.so (libc6,x86-64) => /usr/local/lib/libu2f-host.so
    1. To see if a certain application is linked with the library use ldd command:
    $ ldd your-u2f-application|grep libu2f-host
    libu2f-host.so.0 => /usr/local/lib/libu2f-host.so.0
    WindowsThis requires use of ListDLLs from Microsoft SysInternals
    1. Download and extract ListDLLs
    2. In a Command Prompt run and search for search for “libu2f-host”:
    $ listdlls.exe | findstr “libu2f-host”
    MacOS1. Use the otool command and search for “libu2f-host”
    $otool -L PathToApplication | grep “libu2f-host”

    Downloads

    The latest release, 1.1.7, of libu2f-host can be found here under “releases”.

    Aggregate severity rating

    Yubico has rated this issue as Moderate based on maximum security impact. The base CVSS score is 6.3.

    Acknowledgments

    On December 18, 2018, Christian Reitter notified Yubico of a security issue. We thank Christian Reitter for reporting this issue and working with us under coordinated vulnerability disclosure.

    Revisions

    2019-02-08Yubico releases advisory YSA-2019-01