Buffer Overflow in Yubico Piv Smartcard Driver
CVE-2018-14779

6.8MEDIUM

Key Information:

Vendor

Yubico

Status
Smart Card Minidriver
Piv Manager
Piv Tool
Vendor
CVE Published:
15 August 2018

What is CVE-2018-14779?

A buffer overflow vulnerability exists in the Yubico-Piv smartcard driver, specifically in the function 'ykpiv_transfer_data()' within the codebase. This vulnerability stems from inadequate error handling for buffer size checks before executing a memcpy operation. An attacker can exploit this flaw by sending malicious data from a smartcard, leading to potential risks in data integrity and system stability. It is crucial for users of the affected versions to apply security updates to mitigate this risk.

References

https://www.yubico.com/support/security-advisories/ysa-20...
x_refsource_CONFIRM
https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubic...
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2018/08/14/2
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.