PT-2018-12717 · Yubico+2 · Yubico-Piv+2

Eric Sesterhenn

Published

2018-08-15

Updated

2024-06-15

CVE-2018-14779

CVSS v2.0

7.2

High

Vector

AV:L/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Yubico-Piv version 1.5.0

Description A buffer overflow issue was discovered in the Yubico-Piv smartcard driver. The issue arises from the ykpiv transfer data() function in the lib/ykpiv.c file, where the code checks if the output buffer is too small but fails to handle the error properly, potentially leading to a buffer overflow when using memcpy(). This can be triggered by malicious data from a smartcard.

Recommendations For Yubico-Piv version 1.5.0, as a temporary workaround, consider adding proper error handling to the ykpiv transfer data() function to avoid the memcpy() operation when the buffer is too small. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Memory Corruption

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787CWE-119

Related Identifiers

CVE-2018-14779

OPENSUSE-SU-2018_2623-1

OPENSUSE-SU-2019:1341-1

OPENSUSE-SU-2019_1341-1

OPENSUSE-SU-2024:11537-1

SUSE-SU-2019:1123-1

SUSE-SU-2019_1123-1

USN-4276-1

USN-4846-1

Affected Products

Suse

Ubuntu

Yubico-Piv

PT-2018-12717 · Yubico+2 · Yubico-Piv+2

CVE-2018-14779

Weakness Enumeration

Related Identifiers

Affected Products

References · 25