Yubico version 0.1.9 libykneomgr suffers from out of bounds read and write vulnerabilities.
Multiple Vulnerabilities in Yubico libykneomgr
==============================================
Overview
- --------
Confirmed Affected Versions: 0.1.9
Confirmed Patched Versions: -
Vendor: Yubico / Depreciated
Vendor URL: https://www.yubico.com/
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/
Summary and Impact
- ------------------
An out of bounds write and read was discovered when malicious
responses from a smartcard are received. These might lead to memory
corruptions. We assume that these are not easily exploitable.
X41 did not perform a full test or audit on the software.
Please note that the library is deprecated for more than a year and no
update
will be published by the vendor.
Product Description
- -------------------
This is a C library to interact with the CCID-part of the YubiKey NEO.
There is a command line tool "ykneomgr" for interactive use. It
supports querying the YubiKey NEO for firmware version, operation mode
(OTP/CCID) and serial number. You may also mode switch the device and
manage applets (list, delete and install).
Out of Bounds Read/Writes
=========================
Severity Rating: Medium
Vector: APDU Response
CVE:
CWE: 120
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary and Impact
- ------------------
File lib/backendpcsc.c contains the following code in function
`backendappletlist()`
{% highlight c %}
{
sizet i;
sizet thislen = recv[length++];
for (i = 0; i < thislen; i++)
{
if (appletstr)
{
if (reallen + 2 > *len)
{
return YKNEOMGRBACKENDERROR;
}
sprintf (p, "%02x", recv[length]);
p += 2;
}
reallen += 2;
length++;
}
if (appletstr)
{
if (reallen + 1 > *len)
{
return YKNEOMGRBACKENDERROR;
}
*p = '\0';
p++;
}
reallen++;
length += 2;
}
{% endhighlight %}
There is an off-by-one write of a '\x00' when the sprintf() is called,
since it terminates the string with a trailing null-byte. Additionally
reads are performed based on thislen, which is retrieved from the data
without further safety checks.
Workarounds
- -----------
It is advised to migrate to YubiKey Manager since the vendor does not
support the library anymore and will not issue a patch.
Timeline
========
2018-02-03 Issues found
2018-05-22 Vendor contacted
2018-05-22 Vendor reply
2018-06-05 Requesting technical feedback from the vendor
2018-06-06 Vendor confirms bug, but states that library is
depreciated, will not be fixed
2018-08-11 Advisory released
- --
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
GeschA$?ftsfA1/4hrer: Markus Vervier
# 0day.today [2018-08-19] #