Security advisory 2019-02-08 – unchecked buffer in libu2f-host
Tracking IDs: YSA-2019-01, CVE-2018-20340
Yubico library libu2f-host prior to version 1.1.7 contains an unchecked buffer, which could allow a buffer overflow. Libu2f-host is a library that implements the host party of the U2F protocol. This issue can allow an attacker with a custom made malicious USB device masquerading as a security key, and physical access to a computer where PAM U2F or an application with libu2f-host integrated, to potentially execute arbitrary code on that computer. Users of the YubiKey PAM U2F Tool are the most impacted since the arbitrary code could execute with elevated privileges.
It is not possible to perform this attack with genuine YubiKey devices and users utilizing a browser implementation of U2F are not affected by this issue.
The affected library is included in a variety of applications. We recommend updating all affected software listed below.
How to tell if you are affected – Yubico software
|Affected Yubico software||Platform||Steps to mitigate|
|YubiKey NEO Manager||Windows
|Use YubiKey Manager in place of YubiKey NEO Manager|
|PAM U2F tool||Linux
|Update the libu2f-host library|
How to tell if you’re affected – non-Yubico software
Libu2f-host is an open source implementation of U2F that is made available for solution providers to incorporate for U2F in their products. Software that uses libu2f-host prior to version 1.1.7 could be affected by this issue. Yubico recommends that developers who use libu2f-host in their products update to the latest version of libu2f-host. Libu2f-host version 1.1.7 or above addresses the issue.
In order to determine if a U2F application is using a vulnerable version of libu2f-host, users of U2F enabled software applications may execute the platform specific instructions below.
Because these methods can have varying degrees of accuracy depending on the design of the application, Yubico encourages users to contact U2F application providers directly to find out if the application is impacted and, if so, whether an update is available.
$ /sbin/ldconfig -p|grep libu2f-host
$ ldd your-u2f-application|grep libu2f-host
|Windows||This requires use of ListDLLs from Microsoft SysInternals
$ listdlls.exe | findstr “libu2f-host”
$otool -L PathToApplication | grep “libu2f-host”
The latest release, 1.1.7, of libu2f-host can be found here under “releases”.
Aggregate severity rating
Yubico has rated this issue as Moderate based on maximum security impact. The base CVSS score is 6.3.
On December 18, 2018, Christian Reitter notified Yubico of a security issue. We thank Christian Reitter for reporting this issue and working with us under coordinated vulnerability disclosure.
|2018-02-08||Yubico releases advisory YSA-2019-01|