Security advisory YSA-2019-01
Security advisory YSA-2019-01 – unchecked buffer in libu2f-host
Published date: 2019-02-08
Tracking IDs: YSA-2019-01
CVE: CVE-2018-20340
Summary
Yubico library libu2f-host prior to version 1.1.7 contains an unchecked buffer, which could allow a buffer overflow. Libu2f-host is a library that implements the host party of the U2F protocol. This issue can allow an attacker with a custom made malicious USB device masquerading as a security key, and physical access to a computer where PAM U2F or an application with libu2f-host integrated, to potentially execute arbitrary code on that computer. Users of the YubiKey PAM U2F Tool are the most impacted since the arbitrary code could execute with elevated privileges.
It is not possible to perform this attack with genuine YubiKey devices and users utilizing a browser implementation of U2F are not affected by this issue.
User actions
The affected library is included in a variety of applications. We recommend updating all affected software listed below.
How to tell if you are affected – Yubico software
| Affected Yubico software | Platform | Steps to mitigate |
| YubiKey NEO Manager | Windows Linux MacOS | Use YubiKey Manager in place of YubiKey NEO Manager |
| PAM U2F tool | Linux MacOS | Update the libu2f-host libraryDownload from the Yubico Developer Program site Build according to the instructions on the libu2f-host page |
How to tell if you’re affected – non-Yubico software
Libu2f-host is an open source implementation of U2F that is made available for solution providers to incorporate for U2F in their products. Software that uses libu2f-host prior to version 1.1.7 could be affected by this issue. Yubico recommends that developers who use libu2f-host in their products update to the latest version of libu2f-host. Libu2f-host version 1.1.7 or above addresses the issue.
In order to determine if a U2F application is using a vulnerable version of libu2f-host, users of U2F enabled software applications may execute the platform specific instructions below.
Because these methods can have varying degrees of accuracy depending on the design of the application, Yubico encourages users to contact U2F application providers directly to find out if the application is impacted and, if so, whether an update is available.
| Platform | Instructions |
| Linux | 1. To see if libu2f-host is installed in the library path use the ldconfig command: $ /sbin/ldconfig -p|grep libu2f-host libu2f-host.so.0 (libc6,x86-64) => /usr/local/lib/libu2f-host.so.0 libu2f-host.so (libc6,x86-64) => /usr/local/lib/libu2f-host.so 1. To see if a certain application is linked with the library use ldd command: $ ldd your-u2f-application|grep libu2f-host libu2f-host.so.0 => /usr/local/lib/libu2f-host.so.0 |
| Windows | This requires use of ListDLLs from Microsoft SysInternals 1. Download and extract ListDLLs 2. In a Command Prompt run and search for search for “libu2f-host”: $ listdlls.exe | findstr “libu2f-host” |
| MacOS | 1. Use the otool command and search for “libu2f-host” $otool -L PathToApplication | grep “libu2f-host” |
Downloads
The latest release, 1.1.7, of libu2f-host can be found here under “releases”.
Aggregate severity rating
Yubico has rated this issue as Moderate based on maximum security impact. The base CVSS score is 6.3.
Acknowledgments
On December 18, 2018, Christian Reitter notified Yubico of a security issue. We thank Christian Reitter for reporting this issue and working with us under coordinated vulnerability disclosure.
Revisions
| 2019-02-08 | Yubico releases advisory YSA-2019-01 |