Arch Linux Security Advisory ASA-201902-7

Severity: High
Date : 2019-02-11
CVE-ID : CVE-2018-20340
Package : libu2f-host
Type : arbitrary code execution
Remote : No
Link : https://security.archlinux.org/AVG-884

Summary

The package libu2f-host before version 1.1.7-1 is vulnerable to
arbitrary code execution.

Resolution

Upgrade to 1.1.7-1.

pacman -Syu “libu2f-host>=1.1.7-1”

The problem has been fixed upstream in version 1.1.7.

Workaround

None.

Description

Yubico library libu2f-host prior to version 1.1.7 contains an unchecked
buffer, which could allow a buffer overflow. Libu2f-host is a library
that implements the host party of the U2F protocol. This issue can
allow an attacker with a custom made malicious USB device masquerading
as a security key, and physical access to a computer where PAM U2F or
an application with libu2f-host integrated, to potentially execute
arbitrary code on that computer. Users of the YubiKey PAM U2F Tool are
the most impacted since the arbitrary code could execute with elevated
privileges.

Impact

A malicious USB device can execute arbitrary code on the host.

References

https://www.yubico.com/support/security-advisories/ysa-2019-01/
https://security.archlinux.org/CVE-2018-20340