openSUSE Security Update : libu2f-host (openSUSE-2021-799)

medium Nessus Plugin ID 150098

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for libu2f-host fixes the following issues :

This update ships the u2f-host package (jsc#ECO-3687 bsc#1184648)

Version 1.1.10 (released 2019-05-15)

- Add new devices to udev rules.

- Fix a potentially uninitialized buffer (CVE-2019-9578, bsc#1128140)

Version 1.1.9 (released 2019-03-06)

- Fix CID copying from the init response, which broke compatibility with some devices.

Version 1.1.8 (released 2019-03-05)

- Add udev rules

- Drop 70-old-u2f.rules and use 70-u2f.rules for everything

- Use a random nonce for setting up CID to prevent fingerprinting

- CVE-2019-9578: Parse the response to init in a more stable way to prevent leakage of uninitialized stack memory back to the device (bsc#1128140).

Version 1.1.7 (released 2019-01-08)

- Fix for trusting length from device in device init.

- Fix for buffer overflow when receiving data from device.
(YSA-2019-01, CVE-2018-20340, bsc#1124781)

- Add udev rules for some new devices.

- Add udev rule for Feitian ePass FIDO

- Add a timeout to the register and authenticate actions.
This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected libu2f-host packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1124781

https://bugzilla.opensuse.org/show_bug.cgi?id=1128140

https://bugzilla.opensuse.org/show_bug.cgi?id=1184648

https://jira.suse.com/browse/ECO-3687

Plugin Details

Severity: Medium

ID: 150098

File Name: openSUSE-2021-799.nasl

Version: 1.2

Type: local

Agent: unix

Published: 6/1/2021

Updated: 6/3/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-20340

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libu2f-host-debuginfo, p-cpe:/a:novell:opensuse:libu2f-host-debugsource, p-cpe:/a:novell:opensuse:libu2f-host-devel, p-cpe:/a:novell:opensuse:libu2f-host0, p-cpe:/a:novell:opensuse:libu2f-host0-debuginfo, p-cpe:/a:novell:opensuse:u2f-host, p-cpe:/a:novell:opensuse:u2f-host-debuginfo, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 5/28/2021

Vulnerability Publication Date: 3/5/2019

Reference Information

CVE: CVE-2018-20340, CVE-2019-9578