CVE-2018-20340
Last modified
CVE-2018-20340 is a vulnerability of currently unknown severity. Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which could enable a malicious token to exploit a buffer overflow. An attacker could use this to attempt to execute malicious code using a crafted USB device masquerading as a security token on a computer where the affected library is currently in use. EPSS estimates a 0.50% chance of exploitation in the next 30 days.
Description
Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which could enable a malicious token to exploit a buffer overflow. An attacker could use this to attempt to execute malicious code using a crafted USB device masquerading as a security token on a computer where the affected library is currently in use. It is not possible to perform this attack with a genuine YubiKey.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Yubico | Libu2f-Host | 1.1.6 |
| Debian | Debian Linux | 9.0 |
References
- https://developers.yubico.com/libu2f-host/Release_Notes.htmlRelease Notes, Vendor Advisory
- https://seclists.org/bugtraq/2019/Feb/23Mailing List, Third Party Advisory
- https://www.debian.org/security/2019/dsa-4389Third Party Advisory
- https://www.yubico.com/support/security-advisories/ysa-2019-01/Patch, Vendor Advisory
- https://developers.yubico.com/libu2f-host/Release_Notes.htmlRelease Notes, Vendor Advisory
- https://seclists.org/bugtraq/2019/Feb/23Mailing List, Third Party Advisory
- https://www.debian.org/security/2019/dsa-4389Third Party Advisory
- https://www.yubico.com/support/security-advisories/ysa-2019-01/Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-20340?
How severe is CVE-2018-20340?
How do I fix CVE-2018-20340?
Are you affected by CVE-2018-20340?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST