#VU34863 Double Free in libyang - CVE-2019-20393

Cybersecurity Help s.r.o.

Published: 2020-01-22 | Updated: 2020-08-08

Vulnerability identifier: #VU34863

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-20393

CWE-ID: CWE-415

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libyang
Universal components / Libraries / Libraries used by multiple products

Vendor: CESNET

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libyang: 0.11 - 0.16

External links
http://bugzilla.redhat.com/show_bug.cgi?id=1793930
http://github.com/CESNET/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed
http://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
http://github.com/CESNET/libyang/issues/742

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell SmartFabric OS10

Multiple vulnerabilities in Dell Networking OS10

Red Hat Enterprise Linux 8 update for libyang

Multiple vulnerabilities in CESNET libyang