Ubuntu
libu2f-host package

  1. Bug #1814153
  2. Comment #5

Comment 5 for bug 1814153

Revision history for this message
Manbeer Singh Bhander (msbhander) wrote : Re: [Bug 1814153] Re: Upcoming Security Release of a Yubico Library (Moderate severity, CVSS 6.3) - Unchecked Buffer libu2f-host

Much appreciated

Thanks,

Manbeer Singh Bhander
Security Technical Program Manager | Yubico <http://www.yubico.com/>

On Fri, Feb 8, 2019 at 2:10 PM Steve Beattie <email address hidden> wrote:

> Making public now that the CRD has passed.
>
> Upstream commit is https://github.com/Yubico/libu2f-
> host/commit/4d490bb2c528c351e32837fcdaebd998eb5d3f27 .
>
> Thanks!
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1814153
>
> Title:
> Upcoming Security Release of a Yubico Library (Moderate severity, CVSS
> 6.3) - Unchecked Buffer libu2f-host
>
> Status in libu2f-host package in Ubuntu:
> Triaged
>
> Bug description:
> An external security researcher has found an issue on one of our open
> source libraries (libu2f-host) and we are planning on releasing a new
> version of the library and then also push the fix to github
> (https://github.com/Yubico/libu2f-host).
>
> We have agreed on this being of Moderate severity with a CVSS score of
> 6.3. We have also acquired a CVE number for it (CVE-2018-20340, not
> yet public). Please note that the CVSS score of 6.3 could be
> considered too low. Depending on how you interpret it could also be
> 7.0 (https://nvd.nist.gov/vuln-
> metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
>
> This bug is under embargo and the disclosure date & time are set for
> 8th of February, 12.00 CET, so we would be grateful if you could
> withhold any information or patches until then.
>
> Below is text from our not yet published advisory. I have left out the
> parts that are not particular to Linux.
>
> I have attached a patch that applies cleanly to 1.1.4 (Bionic) and
> 1.1.6 (Cosmic).
>
> Please let us know if you any questions or require anything else from
> us.
>
> Thanks,
>
> Manbeer Singh Bhander on behalf of <email address hidden>
>
> ---
> Security Advisory 2019-02-08 - Unchecked Buffer in libu2f-host
> ==============================================================
> Tracking IDs: YSA-2019-01, CVE-2018-20340
>
> Summary
> -------
> Yubico library libu2f-host prior to version 1.1.7 contains an unchecked
> buffer, which could allow a buffer overflow. Libu2f-host is a library that
> implements the host party of the U2F protocol. This issue can allow an
> attacker with a custom made malicious USB device masquerading as a security
> key, and physical access to a computer where PAM U2F or an application with
> libu2f-host integrated, to potentially execute arbitrary code on that
> computer. Users of the YubiKey PAM U2F Tool are the most impacted since the
> arbitrary code could execute with elevated privileges. It is not possible
> to perform this attack with genuine YubiKey devices and users utilizing a
> browser implementation of U2F are not affected by this issue.
>
> User Actions
> ------------
> The affected library is included in a variety of applications. We
> recommend updating all affected software listed below.
>
> Affected Yubico Software:
> o YubiKey NEO Manager
> Use YubiKey Manager in place of YubiKey NEO Manager.
> o PAM U2F tool
> Update the libu2f-host library that libpam-u2f depends on.
>
> How to Tell if You’re Affected - Non-Yubico Software
> ----------------------------------------------------
> Libu2f-host is an open source implementation of U2F that is made
> available for solution providers to incorporate for U2F in their products.
> Software that uses libu2f-host prior to version 1.1.7 could be affected by
> this issue. Yubico recommends that developers who use libu2f-host in their
> products update to the latest version of libu2f-host. Libu2f-host version
> 1.1.7 or above addresses the issue.
>
> In order to determine if a U2F application is using a vulnerable
> version of libu2f-host, users of U2F enabled software applications may
> execute the platform specific instructions below.
>
> Because these methods can have varying degrees of accuracy depending
> on the design of the application, Yubico encourages users to contact
> U2F application providers directly to find out if the application is
> impacted, and if so, whether an update is available.
>
> To see if libu2f-host is installed in the library path use the ldconfig
> command:
> $ /sbin/ldconfig -p|grep libu2f-host
> libu2f-host.so.0 (libc6,x86-64) =>
> /usr/local/lib/libu2f-host.so.0
> libu2f-host.so (libc6,x86-64) => /usr/local/lib/libu2f-host.so
> To see if a certain application is linked with the library use ldd
> command:
> $ ldd your-u2f-application|grep libu2f-host
> libu2f-host.so.0 => /usr/local/lib/libu2f-host.so.0
>
> Downloads
> ---------
> The latest release, 1.1.7, of libu2f-host can be found here under
> “releases”: https://developers.yubico.com/libu2f-host/
>
> Aggregate Severity Rating
> -------------------------
> Yubico has rated this issue as Moderate based on maximum security
> impact. The base CVSS score is 6.3(
> https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
> ).
>
> Acknowledgments
> ---------------
> On December 18, 2018, Christian Reitter notified Yubico of a security
> issue. We thank Christian Reitter for reporting this issue and working with
> us under coordinated vulnerability disclosure.
>
> =============================================================================
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/libu2f-host/+bug/1814153/+subscriptions
>