Security advisory YSA-2020-02, YSA-2020-03 – Out of bounds read in libykpiv

Published date: 2020-07-08
Tracking ID: YSA-2020-02 , YSA-2020-03
CVE: CVE-2020-13131

Summary

The libykpiv library, included in the Yubico PIV Tool project and the YubiKey Smart Card Minidriver, does not properly check embedded length fields during device communication. A maliciously-crafted PIV token could possibly misreport the returned length fields during RSA key generation. This could cause host memory to be leaked that may contain sensitive information. Note that RSA key generation is always initiated by the host and cannot directly be triggered by the token.

Affected products

Yubico products using the libykpiv library with version 2.0.0 and earlier. This includes the Yubico PIV Tool version 2.0.0 and earlier, and the YubiKey Smart Card Minidriver version 4.1.0.172 and earlier.

Customer actions

The affected library is included in the Yubico PIV Tool and in the YubiKey Smart Card Minidriver. We recommend individuals using these to upgrade Yubico PIV Tool to 2.1.0 and the YubiKey Smart Card Minidriver to 4.1.1.210.

Due to the open source software status of the libykpiv library, there might be other users of this library. If in doubt, please check the third party dependencies for libykpiv in the products you use.

Furthermore, this tool can be used to test the authenticity of your YubiKey.

Technical details

The function ykpiv_util_generate_key() has a local stack buffer of size 1024 bytes. It uses this buffer to communicate with the PIV token but does not correctly validate that the returned length fields are valid. As a result, a maliciously-crafted token could possibly misreport a size of up to 65535 bytes. This length is used in a memory copy operation from a local stack buffer into allocated heap memory. As a result, stack memory from an out of bounds read is returned to the caller instead of the expected communication data.

In Yubico PIV Tool, the tool is the caller and evaluates the returned data as bignums. It then proceeds to use the bignums as the ‘n’ and ‘e’ arguments for the public part of the generated key. As a result, the public key will consist of ASN1-encoded stack memory.

In YubiKey Smart Card Minidriver, the overread will cause the key generate function to overwrite allocated heap memory with the stack memory. If an attacker has control of where and what heap memory chunks are placed, a crash could be avoided and the leaked stack memory content could potentially be retrieved..

Included in the GitHub ChangeLog and commit history of this Yubico PIV Tool release are also a few other fixes to lower severity issues related to the embedded length field.

The issues include a local denial of service (CVE-2020-13132) where the passed in pointer is deallocated instead of the dynamically allocated one inside the function ykpiv_util_generate_key().

Downloads

The latest release of yubico-piv-tool can be found here under “releases”.

The latest release of the Smart Card Minidriver can be found here.

Aggregate severity rating

Yubico has rated this issue as Low to Moderate based on maximum security impact. The base CVSS score is 4.3

Acknowledgments

On April 29, 2020, Christian Reitter notified Yubico of multiple security issues. We thank Christian Reitter for reporting these issues and working with us under coordinated vulnerability disclosure.

Timeline

April 29, 2020 Christian Reitter reports issue to Yubico
July 8, 2020 Yubico-piv-tool 2.1.0 is released with fixes for the reported security issues.
July 8, 2020 Security Advisory is published