Security Advisory 2019-02-08 – Unchecked Buffer in libu2f-host

Tracking IDs: YSA-2019-01, CVE-2018-20340

Summary

Yubico library libu2f-host prior to version 1.1.7 contains an unchecked buffer, which could allow a buffer overflow. Libu2f-host is a library that implements the host party of the U2F protocol. This issue can allow an attacker with a custom made malicious USB device masquerading as a security key, and physical access to a computer where PAM U2F or an application with libu2f-host integrated, to potentially execute arbitrary code on that computer. Users of the YubiKey PAM U2F Tool are the most impacted since the arbitrary code could execute with elevated privileges.

It is not possible to perform this attack with genuine YubiKey devices and users utilizing a browser implementation of U2F are not affected by this issue.

User Actions

The affected library is included in a variety of applications. We recommend updating all affected software listed below.

How to Tell if You are Affected – Yubico Software

Affected Yubico Software Platform Steps to mitigate
YubiKey NEO Manager Windows
Linux
MacOS
Use YubiKey Manager in place of YubiKey NEO Manager
PAM U2F tool Linux
MacOS
Update the libu2f-host library

  1. Download from the Yubico Developer Program site
  2. Build according to the instructions on the libu2f-host page

How to Tell if You’re Affected – Non-Yubico Software

Libu2f-host is an open source implementation of U2F that is made available for solution providers to incorporate for U2F in their products. Software that uses libu2f-host prior to version 1.1.7 could be affected by this issue. Yubico recommends that developers who use libu2f-host in their products update to the latest version of libu2f-host. Libu2f-host version 1.1.7 or above addresses the issue.

In order to determine if a U2F application is using a vulnerable version of libu2f-host, users of U2F enabled software applications may execute the platform specific instructions below.  

Because these methods can have varying degrees of accuracy depending on the design of the application, Yubico encourages users to contact U2F application providers directly to find out if the application is impacted and, if so, whether an update is available.

Platform Instructions
Linux
  1. To see if libu2f-host is installed in the library path use the ldconfig command:

$ /sbin/ldconfig -p|grep libu2f-host
libu2f-host.so.0 (libc6,x86-64) => /usr/local/lib/libu2f-host.so.0
libu2f-host.so (libc6,x86-64) => /usr/local/lib/libu2f-host.so

  1. To see if a certain application is linked with the library use ldd command:

$ ldd your-u2f-application|grep libu2f-host
libu2f-host.so.0 => /usr/local/lib/libu2f-host.so.0

Windows This requires use of ListDLLs from Microsoft SysInternals

  1. Download and extract ListDLLs
  2. In a Command Prompt run and search for search for “libu2f-host”:

$ listdlls.exe | findstr “libu2f-host”

MacOS
  1. Use the otool command and search for “libu2f-host”

$otool -L PathToApplication | grep “libu2f-host”

Downloads

The latest release, 1.1.7, of libu2f-host can be found here under “releases”.

Aggregate Severity Rating

Yubico has rated this issue as Moderate based on maximum security impact. The base CVSS score is 6.3.

Acknowledgments

On December 18, 2018, Christian Reitter notified Yubico of a security issue. We thank Christian Reitter for reporting this issue and working with us under coordinated vulnerability disclosure.

Revisions

2018-02-08 Yubico releases advisory YSA-2019-01