Upcoming Security Release of a Yubico Library (Moderate severity, CVSS 6.3) - Unchecked Buffer libu2f-host

Bug #1814153 reported by Manbeer Singh Bhander on 2019-01-31
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libu2f-host (Ubuntu)
Medium
Steve Beattie

Bug Description

An external security researcher has found an issue on one of our open source libraries (libu2f-host) and we are planning on releasing a new version of the library and then also push the fix to github (https://github.com/Yubico/libu2f-host).

We have agreed on this being of Moderate severity with a CVSS score of 6.3. We have also acquired a CVE number for it (CVE-2018-20340, not yet public). Please note that the CVSS score of 6.3 could be considered too low. Depending on how you interpret it could also be 7.0 (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

This bug is under embargo and the disclosure date & time are set for 8th of February, 12.00 CET, so we would be grateful if you could withhold any information or patches until then.

Below is text from our not yet published advisory. I have left out the parts that are not particular to Linux.

I have attached a patch that applies cleanly to 1.1.4 (Bionic) and 1.1.6 (Cosmic).

Please let us know if you any questions or require anything else from us.

Thanks,

Manbeer Singh Bhander on behalf of <email address hidden>

---
Security Advisory 2019-02-08 - Unchecked Buffer in libu2f-host
==============================================================
Tracking IDs: YSA-2019-01, CVE-2018-20340

Summary
-------
Yubico library libu2f-host prior to version 1.1.7 contains an unchecked buffer, which could allow a buffer overflow. Libu2f-host is a library that implements the host party of the U2F protocol. This issue can allow an attacker with a custom made malicious USB device masquerading as a security key, and physical access to a computer where PAM U2F or an application with libu2f-host integrated, to potentially execute arbitrary code on that computer. Users of the YubiKey PAM U2F Tool are the most impacted since the arbitrary code could execute with elevated privileges. It is not possible to perform this attack with genuine YubiKey devices and users utilizing a browser implementation of U2F are not affected by this issue.

User Actions
------------
The affected library is included in a variety of applications. We recommend updating all affected software listed below.

Affected Yubico Software:
o YubiKey NEO Manager
  Use YubiKey Manager in place of YubiKey NEO Manager.
o PAM U2F tool
  Update the libu2f-host library that libpam-u2f depends on.

How to Tell if You’re Affected - Non-Yubico Software
----------------------------------------------------
Libu2f-host is an open source implementation of U2F that is made available for solution providers to incorporate for U2F in their products. Software that uses libu2f-host prior to version 1.1.7 could be affected by this issue. Yubico recommends that developers who use libu2f-host in their products update to the latest version of libu2f-host. Libu2f-host version 1.1.7 or above addresses the issue.

In order to determine if a U2F application is using a vulnerable version of libu2f-host, users of U2F enabled software applications may execute the platform specific instructions below.

Because these methods can have varying degrees of accuracy depending on the design of the application, Yubico encourages users to contact U2F application providers directly to find out if the application is impacted, and if so, whether an update is available.

To see if libu2f-host is installed in the library path use the ldconfig command:
$ /sbin/ldconfig -p|grep libu2f-host
        libu2f-host.so.0 (libc6,x86-64) => /usr/local/lib/libu2f-host.so.0
        libu2f-host.so (libc6,x86-64) => /usr/local/lib/libu2f-host.so
To see if a certain application is linked with the library use ldd command:
$ ldd your-u2f-application|grep libu2f-host
        libu2f-host.so.0 => /usr/local/lib/libu2f-host.so.0

Downloads
---------
The latest release, 1.1.7, of libu2f-host can be found here under “releases”: https://developers.yubico.com/libu2f-host/

Aggregate Severity Rating
-------------------------
Yubico has rated this issue as Moderate based on maximum security impact. The base CVSS score is 6.3(https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

Acknowledgments
---------------
On December 18, 2018, Christian Reitter notified Yubico of a security issue. We thank Christian Reitter for reporting this issue and working with us under coordinated vulnerability disclosure.
=============================================================================

CVE References

description: updated
Steve Beattie (sbeattie) wrote :

Hi Manbeer,

Thanks for the report and patch.

Just an FYI, we try to avoid issuing security updates on Fridays (and thus try to avoid CRDs that occur on such days), to reduce the amount of work sysadmins might need to do over weekends.

Changed in libu2f-host (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Steve Beattie (sbeattie) on 2019-01-31
Changed in libu2f-host (Ubuntu):
assignee: nobody → Steve Beattie (sbeattie)

Hi Steve,

Thanks for following back up. I agree and see your point on not doing Friday releases. We will incorporate that into our process and moving forward on avoiding Monday and Friday releases.

Thanks,

Manbeer

Steve Beattie (sbeattie) wrote :

Making public now that the CRD has passed.

Upstream commit is https://github.com/Yubico/libu2f-host/commit/4d490bb2c528c351e32837fcdaebd998eb5d3f27 .

Thanks!

information type: Private Security → Public Security
Download full text (5.6 KiB)

Much appreciated

Thanks,

Manbeer Singh Bhander
Security Technical Program Manager | Yubico <http://www.yubico.com/>

On Fri, Feb 8, 2019 at 2:10 PM Steve Beattie <email address hidden> wrote:

> Making public now that the CRD has passed.
>
> Upstream commit is https://github.com/Yubico/libu2f-
> host/commit/4d490bb2c528c351e32837fcdaebd998eb5d3f27 .
>
> Thanks!
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1814153
>
> Title:
> Upcoming Security Release of a Yubico Library (Moderate severity, CVSS
> 6.3) - Unchecked Buffer libu2f-host
>
> Status in libu2f-host package in Ubuntu:
> Triaged
>
> Bug description:
> An external security researcher has found an issue on one of our open
> source libraries (libu2f-host) and we are planning on releasing a new
> version of the library and then also push the fix to github
> (https://github.com/Yubico/libu2f-host).
>
> We have agreed on this being of Moderate severity with a CVSS score of
> 6.3. We have also acquired a CVE number for it (CVE-2018-20340, not
> yet public). Please note that the CVSS score of 6.3 could be
> considered too low. Depending on how you interpret it could also be
> 7.0 (https://nvd.nist.gov/vuln-
> metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
>
> This bug is under embargo and the disclosure date & time are set for
> 8th of February, 12.00 CET, so we would be grateful if you could
> withhold any information or patches until then.
>
> Below is text from our not yet published advisory. I have left out the
> parts that are not particular to Linux.
>
> I have attached a patch that applies cleanly to 1.1.4 (Bionic) and
> 1.1.6 (Cosmic).
>
> Please let us know if you any questions or require anything else from
> us.
>
> Thanks,
>
> Manbeer Singh Bhander on behalf of <email address hidden>
>
> ---
> Security Advisory 2019-02-08 - Unchecked Buffer in libu2f-host
> ==============================================================
> Tracking IDs: YSA-2019-01, CVE-2018-20340
>
> Summary
> -------
> Yubico library libu2f-host prior to version 1.1.7 contains an unchecked
> buffer, which could allow a buffer overflow. Libu2f-host is a library that
> implements the host party of the U2F protocol. This issue can allow an
> attacker with a custom made malicious USB device masquerading as a security
> key, and physical access to a computer where PAM U2F or an application with
> libu2f-host integrated, to potentially execute arbitrary code on that
> computer. Users of the YubiKey PAM U2F Tool are the most impacted since the
> arbitrary code could execute with elevated privileges. It is not possible
> to perform this attack with genuine YubiKey devices and users utilizing a
> browser implementation of U2F are not affected by this issue.
>
> User Actions
> ------------
> The affected library is included in a variety of applications. We
> recommend updating all affected software listed below.
>
> Affected Yubico Software:
> o YubiKey NEO Manager
> Use Yubi...

Read more...

The attachment "Patch for Bug" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libu2f-host - 1.1.6-1ubuntu0.1

---------------
libu2f-host (1.1.6-1ubuntu0.1) cosmic-security; urgency=medium

  * SECURITY UPDATE: buffer overflow when handling response from device
    (LP: #1814153)
    - debian/patches//0002-CVE-2018-20340.patch: check to ensure
      response size is within offered buffer size.
    - CVE-2018-20340

 -- Steve Beattie <email address hidden> Tue, 05 Feb 2019 11:31:23 -0800

Changed in libu2f-host (Ubuntu):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libu2f-host - 1.1.4-1ubuntu0.1

---------------
libu2f-host (1.1.4-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: buffer overflow when handling response from device
    (LP: #1814153)
    - debian/patches//0002-CVE-2018-20340.patch: check to ensure
      response size is within offered buffer size.
    - CVE-2018-20340

 -- Steve Beattie <email address hidden> Tue, 05 Feb 2019 10:44:55 -0800

Changed in libu2f-host (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers