PT-2018-12717 · Yubico+2 · Yubico-Piv+2

Eric Sesterhenn

Publicado

2018-08-15

Atualizado

2024-06-15

CVE-2018-14779

CVSS v2.0

7.2

Alta

Vetor

AV:L/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Yubico-Piv version 1.5.0

Description A buffer overflow issue was discovered in the Yubico-Piv smartcard driver. The issue arises from the ykpiv transfer data() function in the lib/ykpiv.c file, where the code checks if the output buffer is too small but fails to handle the error properly, potentially leading to a buffer overflow when using memcpy(). This can be triggered by malicious data from a smartcard.

Recommendations For Yubico-Piv version 1.5.0, as a temporary workaround, consider adding proper error handling to the ykpiv transfer data() function to avoid the memcpy() operation when the buffer is too small. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Memory Corruption

Buffer Overflow

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-787CWE-119

Identificadores relacionados

CVE-2018-14779

OPENSUSE-SU-2018_2623-1

OPENSUSE-SU-2019:1341-1

OPENSUSE-SU-2019_1341-1

OPENSUSE-SU-2024:11537-1

SUSE-SU-2019:1123-1

SUSE-SU-2019_1123-1

USN-4276-1

USN-4846-1

Produtos afetados

Suse

Ubuntu

Yubico-Piv

PT-2018-12717 · Yubico+2 · Yubico-Piv+2

CVE-2018-14779

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 25