Buffer Overflow Vulnerability in Yubico's Libu2f-host Library
CVE-2018-20340

6.8MEDIUM

Key Information:

Vendor

Yubico

Status
Libu2f-host
Vendor
CVE Published:
21 March 2019

What is CVE-2018-20340?

The Yubico libu2f-host library version 1.1.6 contains a vulnerability due to unchecked buffers in the devs.c file. This flaw could allow an attacker to exploit a buffer overflow by using a specially crafted USB device that impersonates a legitimate security token, potentially leading to the execution of malicious code on systems where the vulnerable library is utilized. However, it is essential to note that genuine YubiKey devices cannot be used to perform this attack, thus limiting the risk to systems where unauthorized USB devices are connected.

References

https://seclists.org/bugtraq/2019/Feb/23
x_refsource_MISC
https://www.debian.org/security/2019/dsa-4389
x_refsource_MISC
https://www.yubico.com/support/security-advisories/ysa-20...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.