Upcoming Security Release of a Yubico Library (Moderate severity, CVSS 6.3) - Unchecked Buffer libu2f-host
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libu2f-host (Ubuntu) |
Fix Released
|
Medium
|
Steve Beattie | ||
Bug Description
An external security researcher has found an issue on one of our open source libraries (libu2f-host) and we are planning on releasing a new version of the library and then also push the fix to github (https:/
We have agreed on this being of Moderate severity with a CVSS score of 6.3. We have also acquired a CVE number for it (CVE-2018-20340, not yet public). Please note that the CVSS score of 6.3 could be considered too low. Depending on how you interpret it could also be 7.0 (https:/
This bug is under embargo and the disclosure date & time are set for 8th of February, 12.00 CET, so we would be grateful if you could withhold any information or patches until then.
Below is text from our not yet published advisory. I have left out the parts that are not particular to Linux.
I have attached a patch that applies cleanly to 1.1.4 (Bionic) and 1.1.6 (Cosmic).
Please let us know if you any questions or require anything else from us.
Thanks,
Manbeer Singh Bhander on behalf of <email address hidden>
---
Security Advisory 2019-02-08 - Unchecked Buffer in libu2f-host
=======
Tracking IDs: YSA-2019-01, CVE-2018-20340
Summary
-------
Yubico library libu2f-host prior to version 1.1.7 contains an unchecked buffer, which could allow a buffer overflow. Libu2f-host is a library that implements the host party of the U2F protocol. This issue can allow an attacker with a custom made malicious USB device masquerading as a security key, and physical access to a computer where PAM U2F or an application with libu2f-host integrated, to potentially execute arbitrary code on that computer. Users of the YubiKey PAM U2F Tool are the most impacted since the arbitrary code could execute with elevated privileges. It is not possible to perform this attack with genuine YubiKey devices and users utilizing a browser implementation of U2F are not affected by this issue.
User Actions
------------
The affected library is included in a variety of applications. We recommend updating all affected software listed below.
Affected Yubico Software:
o YubiKey NEO Manager
Use YubiKey Manager in place of YubiKey NEO Manager.
o PAM U2F tool
Update the libu2f-host library that libpam-u2f depends on.
How to Tell if You’re Affected - Non-Yubico Software
-------
Libu2f-host is an open source implementation of U2F that is made available for solution providers to incorporate for U2F in their products. Software that uses libu2f-host prior to version 1.1.7 could be affected by this issue. Yubico recommends that developers who use libu2f-host in their products update to the latest version of libu2f-host. Libu2f-host version 1.1.7 or above addresses the issue.
In order to determine if a U2F application is using a vulnerable version of libu2f-host, users of U2F enabled software applications may execute the platform specific instructions below.
Because these methods can have varying degrees of accuracy depending on the design of the application, Yubico encourages users to contact U2F application providers directly to find out if the application is impacted, and if so, whether an update is available.
To see if libu2f-host is installed in the library path use the ldconfig command:
$ /sbin/ldconfig -p|grep libu2f-host
To see if a certain application is linked with the library use ldd command:
$ ldd your-u2f-
Downloads
---------
The latest release, 1.1.7, of libu2f-host can be found here under “releases”: https:/
Aggregate Severity Rating
-------
Yubico has rated this issue as Moderate based on maximum security impact. The base CVSS score is 6.3(https:/
Acknowledgments
---------------
On December 18, 2018, Christian Reitter notified Yubico of a security issue. We thank Christian Reitter for reporting this issue and working with us under coordinated vulnerability disclosure.
=======
CVE References
| Manbeer Singh Bhander (msbhander) wrote | #1 |
| description: | updated |
| Steve Beattie (sbeattie) wrote | #2 |
| Changed in libu2f-host (Ubuntu): | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| Changed in libu2f-host (Ubuntu): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Manbeer Singh Bhander (msbhander) wrote | #3 |
| Steve Beattie (sbeattie) wrote | #4 |
| information type: | Private Security → Public Security |
| Manbeer Singh Bhander (msbhander) wrote Re: [Bug 1814153] Re: Upcoming Security Release of a Yubico Library (Moderate severity, CVSS 6.3) - Unchecked Buffer libu2f-host | #5 |
| Ubuntu Foundations Team Bug Bot (crichton) wrote | #6 |
| tags: | added: patch |
| Launchpad Janitor (janitor) wrote | #7 |
| Changed in libu2f-host (Ubuntu): | |
| status: | Triaged → Fix Released |
| Launchpad Janitor (janitor) wrote | #8 |
| Changed in libu2f-host (Ubuntu): | |
| status: | Triaged → Fix Released |
Hi Manbeer,
Thanks for the report and patch.
Just an FYI, we try to avoid issuing security updates on Fridays (and thus try to avoid CRDs that occur on such days), to reduce the amount of work sysadmins might need to do over weekends.