-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-004 Multiple Vulnerabilities in Yubico libykneomgr ============================================== Overview - -------- Confirmed Affected Versions: 0.1.9 Confirmed Patched Versions: - Vendor: Yubico / Depreciated Vendor URL: https://www.yubico.com/ Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/ Summary and Impact - ------------------ An out of bounds write and read was discovered when malicious responses from a smartcard are received. These might lead to memory corruptions. We assume that these are not easily exploitable. X41 did not perform a full test or audit on the software. Please note that the library is deprecated for more than a year and no update will be published by the vendor. Product Description - ------------------- This is a C library to interact with the CCID-part of the YubiKey NEO. There is a command line tool "ykneomgr" for interactive use. It supports querying the YubiKey NEO for firmware version, operation mode (OTP/CCID) and serial number. You may also mode switch the device and manage applets (list, delete and install). Out of Bounds Read/Writes ========================= Severity Rating: Medium Vector: APDU Response CVE: CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - ------------------ File lib/backendpcsc.c contains the following code in function `backendappletlist()` {% highlight c %} { sizet i; sizet thislen = recv[length++]; for (i = 0; i < thislen; i++) { if (appletstr) { if (reallen + 2 > *len) { return YKNEOMGRBACKENDERROR; } sprintf (p, "%02x", recv[length]); p += 2; } reallen += 2; length++; } if (appletstr) { if (reallen + 1 > *len) { return YKNEOMGRBACKENDERROR; } *p = '\0'; p++; } reallen++; length += 2; } {% endhighlight %} There is an off-by-one write of a '\x00' when the sprintf() is called, since it terminates the string with a trailing null-byte. Additionally reads are performed based on thislen, which is retrieved from the data without further safety checks. Workarounds - ----------- It is advised to migrate to YubiKey Manager since the vendor does not support the library anymore and will not issue a patch. Timeline ======== 2018-02-03 Issues found 2018-05-22 Vendor contacted 2018-05-22 Vendor reply 2018-06-05 Requesting technical feedback from the vendor 2018-06-06 Vendor confirms bug, but states that library is depreciated, will not be fixed 2018-08-11 Advisory released - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3PMACgkQo5Klpg50 CxCvvA//RdQkadlV9yD1IFM7+lqkfMYCyeRyjEg19NWY7QL3Y6C0BeMNiMv/q74i TUw3G30X6ehgsaef5VWzpC7IibUC2DbltIZV3tYpNHePvc4GeMAl9dytqAy4MGnM EIxC7RrT4w85EDnaK9NvEXdo2QOlSuzt1MtePYhmoa23wZFH328w1WVhxgAYffna Cu7LCJIgWkh1y5jqc66553g34SRH3jiuVYSwTgIzC2MhVnXrjktbIwgddJLkV5Zr eRktqby13iWZns/oGE4GYjsmryoXaoDfGS5wuro7CNua+JqiEPwsH0bURvJDUxGi MvEEMl5TwoCeTzDqsofLBou1RNLVyI6W19MnYhNC6RCSUuFRXFF3nHqO7vQ5Gpft JS6URDUKWd/reh0Xwy3dlaEaXEIUPEHBcLwd0wmKqVgMTjUrOvgIAED8woS+Rzn9 qI+NbooNGt1OzlXR4RojKjRMJtWcwya8bhlNLk/ZFl/pokAEh6bZ1jcMg/U0NG9Q R4AI2u2NX3lE39ku/dcTQQCJpTTcr0DdGUw6kux0dkJXEhEc6YixgFzrHH1CPS/y 2sYLICX3iWjAtd81CO0PL4QXte2ekh8YWaf/1qV2BusOxwlHQjODO8o3kLueU2DC Uy4ftml35nu+qVS+vYA85N4+4/Fri6UkbjkgbI2fODgE3pImc+A= =dyfA -----END PGP SIGNATURE-----
