X41 D-Sec GmbH Security Advisory: X41-2018-001

Multiple Vulnerabilities in Yubico Piv


Confirmed Affected Versions: 1.5.0

Confirmed Patched Versions: -

Vendor: Yubico

Vendor URL: https://www.yubico.com/

Credit: X41 D-Sec GmbH, Eric Sesterhenn

Status: Public

Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubico-Piv/

Summary and Impact

A buffer overflow and an out of bounds memory read were identified in the yubico-piv-tool-1.5.0, these can be triggered by a malicious token.

X41 did not perform a full test or audit on the software.

Product Description

YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, and YubiKey NEO provide Smart Card functionality based on the Personal Identity Verification (PIV) interface specified in NIST SP 800-73, “Cryptographic Algorithms and Key Sizes for PIV.”

Out of Bounds Write via Malicious APDU

Severity Rating: High

Vector: APDU Response

CVE: CVE-2018-14779

CWE: 120

CVSS Score: 7.1 (High)


Summary and Impact

File lib/ykpiv.c contains the following code in function ykpiv_transfer_data()

    if(*out_len + recv_len - 2 > max_out) {                                     
      fprintf(stderr, "Output buffer to small, wanted to write %lu, max was %lu.", *out_len + recv_len - 2, max_out);
    if(out_data) {                                                              
      memcpy(out_data, data, recv_len - 2);                                     
      out_data += recv_len - 2;                                                 
      *out_len += recv_len - 2;                                                 

It is clearly checked whether the buffer is big enough to hold the data copied using memcpy(), but no error handling happens to avoid the memcpy() in such cases. This code path can be triggered with malicious data coming from a smartcard.



Out of Bounds Read via malicious APDU

Severity Rating: LOW

Vector: APDU Response

CVE: CVE-2018-14780

CWE: 125

CVSS Score: 2.2 (Low)


Summary and Impact

File lib/ykpiv.c contains the following code in function _ykpiv_fetch_object()

if(sw == SW_SUCCESS) {
  size_t outlen;
  int offs = _ykpiv_get_length(data + 1, &outlen);
  if(offs == 0) {
    return YKPIV_SIZE_ERROR;
  memmove(data, data + 1 + offs, outlen);
  *len = outlen;
  return YKPIV_OK;
} else {

In the end, a memmove() occurs with a length retrieved from APDU data. This length is not checked if it is outside of the APDU data retrieved. Therefore the memmove() could copy bytes behind the allocated data buffer into this buffer.




2018-02-03 Issues found

2018-05-22 Vendor contacted

2018-05-22 Vendor reply

2018-06-05 Requesting technical feedback from the vendor

2018-06-06 Vendor confirms bug

2018-08-01 CVE ID requested

2018-08-02 CVE ID assigned

2018-08-08 Patched version released by vendor

Author: Eric Sesterhenn
Date: February 03, 2018