Out-of-Bounds Read Vulnerability in Yubico-Piv Smartcard Driver
CVE-2018-14780

4.6MEDIUM

Key Information:

Vendor

Yubico

Status
Smart Card Minidriver
Piv Manager
Piv Tool
Vendor
CVE Published:
15 August 2018

What is CVE-2018-14780?

An out-of-bounds read vulnerability exists in the Yubico-Piv smartcard driver version 1.5.0. This issue arises from improper validation of length during a memory operation, specifically within the _ykpiv_fetch_object() function. The code fails to ensure that the length obtained from APDU data remains within allocated bounds, potentially allowing for data to be copied beyond the allocated buffer. This can lead to unauthorized access or data manipulation, posing significant security risks.

References

https://www.yubico.com/support/security-advisories/ysa-20...
x_refsource_CONFIRM
https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubic...
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2018/08/14/2
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-14780 : Out-of-Bounds Read Vulnerability in Yubico-Piv Smartcard Driver