CVE Vulnerability

CVE-2018-20340

Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which could enable a malicious token to exploit a buffer overflow. An attacker could use this to attempt to execute malicious code using a crafted USB device masquerading as a security token on a computer where the affected library is currently in use. It is not possible to perform this attack with a genuine YubiKey.

4.6 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

6.8 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.yubico.com/support/security-advisories/ysa-2019-01/ Patch Vendor Advisory
https://www.debian.org/security/2019/dsa-4389 Third Party Advisory
https://seclists.org/bugtraq/2019/Feb/23 Mailing List Third Party Advisory
https://developers.yubico.com/libu2f-host/Release_Notes.html Release Notes Vendor Advisory
https://blog.inhq.net/posts/yubico-libu2f-host-vuln-part1/
https://security.gentoo.org/glsa/202004-15
Configurations

Configuration 1

cpe:2.3:a:yubico:libu2f-host:1.1.6:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Information

Published : 2019-03-21 04:00

Updated : 2019-12-05 05:15

NVD link : CVE-2018-20340

Mitre link : CVE-2018-20340

Products Affected
No products.
CWE
CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer