#VU34864 Double Free in libyang - CVE-2019-20394

Cybersecurity Help s.r.o.

Published: 2020-01-22 | Updated: 2020-08-08

Vulnerability identifier: #VU34864

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-20394

CWE-ID: CWE-415

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libyang
Universal components / Libraries / Libraries used by multiple products

Vendor: CESNET

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A double-free is present in libyang before v1.0-r3 in the function yyparse() when a type statement in used in a notification statement. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libyang: 0.11 - 1.0

External links
http://bugzilla.redhat.com/show_bug.cgi?id=1793932
http://github.com/CESNET/libyang/commit/6cc51b1757dfbb7cff92de074ada65e8523289a6
http://github.com/CESNET/libyang/compare/v1.0-r2...v1.0-r3
http://github.com/CESNET/libyang/issues/769

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell SmartFabric OS10

Multiple vulnerabilities in Dell Networking OS10

Red Hat Enterprise Linux 8 update for libyang

Multiple vulnerabilities in CESNET libyang