#VU34867 Double Free in libyang - CVE-2019-20397

Cybersecurity Help s.r.o.

Published: 2020-01-22 | Updated: 2020-08-08

Vulnerability identifier: #VU34867

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-20397

CWE-ID: CWE-415

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libyang
Universal components / Libraries / Libraries used by multiple products

Vendor: CESNET

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A double-free is present in libyang before v1.0-r1 in the function yyparse() when an organization field is not terminated. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libyang: 0.11 - 0.16

External links
http://bugzilla.redhat.com/show_bug.cgi?id=1793928
http://github.com/CESNET/libyang/commit/88bd6c548ba79bce176cd875e9b56e7e0ef4d8d4
http://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
http://github.com/CESNET/libyang/issues/739

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell SmartFabric OS10

Multiple vulnerabilities in Dell Networking OS10

Red Hat Enterprise Linux 8 update for libyang

Multiple vulnerabilities in CESNET libyang