CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 0CVE-2019-9578
https://notcve.org/view.php?id=CVE-2019-9578
In devs.c in Yubico libu2f-host before 1.1.8, the response to init is misparsed, leaking uninitialized stack memory back to the device. En devs.c en Yubico libu2f-host, en versiones anteriores a la 1.1.8, la respuesta a init se analiza erróneamente, filtrando memoria de pila no inicializada de vuelta al dispositivo. • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html https://blog.inhq.net/posts/yubico-libu2f-host-vuln-part2 https://developers.yubico.com/libu2f-host/Release_Notes.html https://github.com/Yubico/libu2f-host/commit/e4bb58cc8b6202a421e65f8230217d8ae6e16eb5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GMA4H6AZFYIR3LA5VKKEJZNCCIVMUCFQ https://lists.fedoraproject.org/archives/list/packa • CWE-908: Use of Uninitialized Resource •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-20340
https://notcve.org/view.php?id=CVE-2018-20340
Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which could enable a malicious token to exploit a buffer overflow. An attacker could use this to attempt to execute malicious code using a crafted USB device masquerading as a security token on a computer where the affected library is currently in use. It is not possible to perform this attack with a genuine YubiKey. Yubico libu2f-host 1.1.6 contiene búferes sin comprobar en devs.c, lo que podría permitir que un token malicioso explote un desbordamiento de búfer. Un atacante podría emplear esto para ejecutar código malicioso mediante un dispositivo USB manipulado enmascarado como token de seguridad en un ordenador en el que se está empleando la librería afectada. • https://blog.inhq.net/posts/yubico-libu2f-host-vuln-part1 https://developers.yubico.com/libu2f-host/Release_Notes.html https://seclists.org/bugtraq/2019/Feb/23 https://security.gentoo.org/glsa/202004-15 https://www.debian.org/security/2019/dsa-4389 https://www.yubico.com/support/security-advisories/ysa-2019-01 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.6EPSS: 0%CPEs: 10EXPL: 0CVE-2018-14780
https://notcve.org/view.php?id=CVE-2018-14780
An out-of-bounds read issue was discovered in the Yubico-Piv 1.5.0 smartcard driver. The file lib/ykpiv.c contains the following code in the function `_ykpiv_fetch_object()`: {% highlight c %} if(sw == SW_SUCCESS) { size_t outlen; int offs = _ykpiv_get_length(data + 1, &outlen); if(offs == 0) { return YKPIV_SIZE_ERROR; } memmove(data, data + 1 + offs, outlen); *len = outlen; return YKPIV_OK; } else { return YKPIV_GENERIC_ERROR; } {% endhighlight %} -- in the end, a `memmove()` occurs with a length retrieved from APDU data. This length is not checked for whether it is outside of the APDU data retrieved. Therefore the `memmove()` could copy bytes behind the allocated data buffer into this buffer. Se ha descubierto una vulnerabilidad de lectura fuera de límites en el controlador de tarjetas inteligentes de Yubico-Piv 1.5.0. • http://www.openwall.com/lists/oss-security/2018/08/14/2 https://usn.ubuntu.com/4276-1 https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubico-Piv https://www.yubico.com/support/security-advisories/ysa-2018-03 • CWE-125: Out-of-bounds Read •
CVSS: 7.2EPSS: 0%CPEs: 10EXPL: 0CVE-2018-14779
https://notcve.org/view.php?id=CVE-2018-14779
A buffer overflow issue was discovered in the Yubico-Piv 1.5.0 smartcard driver. The file lib/ykpiv.c contains the following code in the function `ykpiv_transfer_data()`: {% highlight c %} if(*out_len + recv_len - 2 > max_out) { fprintf(stderr, "Output buffer to small, wanted to write %lu, max was %lu.", *out_len + recv_len - 2, max_out); } if(out_data) { memcpy(out_data, data, recv_len - 2); out_data += recv_len - 2; *out_len += recv_len - 2; } {% endhighlight %} -- it is clearly checked whether the buffer is big enough to hold the data copied using `memcpy()`, but no error handling happens to avoid the `memcpy()` in such cases. This code path can be triggered with malicious data coming from a smartcard. • http://www.openwall.com/lists/oss-security/2018/08/14/2 https://usn.ubuntu.com/4276-1 https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubico-Piv https://www.yubico.com/support/security-advisories/ysa-2018-03 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2018-9275
https://notcve.org/view.php?id=CVE-2018-9275
In check_user_token in util.c in the Yubico PAM module (aka pam_yubico) 2.18 through 2.25, successful logins can leak file descriptors to the auth mapping file, which can lead to information disclosure (serial number of a device) and/or DoS (reaching the maximum number of file descriptors). En check_user_token en util.c en el módulo Yubico PAM (también conocido como pam_yubico), de la versión 2.18 hasta la 2.25, los inicios de sesión exitosos pueden filtrar descriptores de archivo al archivo de mapeo auth. Esto puede conducir a una divulgación de información (número de serie de un dispositivo) y/o una denegación de servicio (alcance del número máximo de descriptores de archivo). • https://bugzilla.opensuse.org/show_bug.cgi?id=1088027 https://github.com/Yubico/yubico-pam/commit/0f6ceabab0a8849b47f67d727aa526c2656089ba https://github.com/Yubico/yubico-pam/issues/136 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •