CVE-2018-20340

Name of the Vulnerable Software and Affected Versions Yubico libu2f-host version 1.1.6

Description The issue is related to unchecked buffers in the devs.c file, which could lead to a buffer overflow. This could allow a malicious token to attempt to execute malicious code using a crafted USB device masquerading as a security token on a computer where the affected library is in use. The attack cannot be performed with a genuine YubiKey. The vulnerability is associated with a buffer overflow in the dev.c software, which may allow an attacker to execute arbitrary code.

Recommendations For Yubico libu2f-host version 1.1.6, consider disabling the use of the devs.c file or restricting access to the library until a patch is available. As a temporary workaround, avoid using the affected library with untrusted USB devices. At the moment, there is no information about a newer version that contains a fix for this vulnerability.