CVE-2020-13131

Name of the Vulnerable Software and Affected Versions Yubico libykpiv versions prior to 2.1.0

Description An issue in libykpiv does not properly check embedded length fields during device communication. A malicious PIV token can misreport the returned length fields during RSA key generation, causing stack memory to be copied into heap allocated memory. This could lead to the leakage of sensitive information, including PINs, passwords, key material, and other data, depending on the integration. The leaked information could then be processed by the caller, potentially crossing trust boundaries. It is noted that RSA key generation is triggered by the host and cannot be directly triggered by the token.

Recommendations For versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of RSA key generation in libykpiv until a patch is applied. Additionally, restrict access to sensitive information and ensure proper handling of memory to minimize the risk of exploitation.