CVE-2018-14780 Information

Description

An out-of-bounds read issue was discovered in the Yubico-Piv 1.5.0 smartcard driver. The file lib/ykpiv.c contains the following code in the function _ykpiv_fetch_object(): highlight c if(sw == SW_SUCCESS) size_t outlen; int offs = _ykpiv_get_length(data + 1 &outlen); if(offs == 0) return YKPIV_SIZE_ERROR; memmove(data data + 1 + offs outlen); *len = outlen; return YKPIV_OK; else return YKPIV_GENERIC_ERROR; endhighlight – in the end a memmove() occurs with a length retrieved from APDU data. This length is not checked for whether it is outside of the APDU data retrieved. Therefore the memmove() could copy bytes behind the allocated data buffer into this buffer.

CVSS Vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://www.openwall.com/lists/oss-security/2018/08/14/2 https://usn.ubuntu.com/4276-1/ https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubico-Piv/ https://www.yubico.com/support/security-advisories/ysa-2018-03/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

4.6