Security Advisory YSA-2021-01
Security Advisory YSA-2021-01 – Tailored Denial of Service Issues in yubihsm-shell
Published Date: 2021-03-04
Tracking IDs: YSA-2021-01
CVEs: CVE-2021-27217, CVE-2021-32489
The yubihsm library, included in the yubihsm-shell project, does not properly validate the length of authenticated messages during device communication. A maliciously-crafted YubiHSM 2 device, or someone with access to traffic between the HSM and yubihsm library, could cause the yubihsm library to fail with a “Not enough space” error and unpredictably crash.
The yubihsm-shell project is included in the YubiHSM 2 SDK product. Version 2.0.3 and prior of the SDK are affected. Note that several components included in the SDK depend on the yubihsm library from the yubihsm-shell project. No YubiKey 5 Series, YubiKey 4 Series, YubiKey FIPS Series, Security Key by Yubico Series, or previous generation YubiKey devices are impacted.
How to tell if you are affected
Check the version of yubihsm-shell:
$ yubihsm-shell --version
If you have version 2.0.3 or below it means you are affected and we recommend upgrading to the latest YubiHSM2 SDK.
Affected parties should upgrade yubihsm-shell by installing the latest version of YubiHSM2 SDK.
Mutually authenticated TLS should be used to prevent an adversary from gaining access to communication between the YubiHSM device and client software. YubiHSM devices should also be used with internal USB slots and in computers with appropriate physical and environmental controls to mitigate threats requiring physical access to the YubiHSM.
An issue was discovered in the _send_secure_msg() function of yubihsm-shell version 2.0.3 and prior. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out of bounds reads performed by aes_remove_padding() can crash the running process depending on the memory layout. An attacker with either physical access to the YubiHSM or the ability to modify communication from the YubiHSM could use the vulnerability to cause a denial of service in the client software.
Shortly after the initial vulnerability was discovered another variant of the vulnerability was found in the _send_secure_msg() function of yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. The OpenSSL CRYPTO_cbc128_decrypt function can be called with an oversized length field, resulting in a crash of the running process. This could be used by an attacker to cause a denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product.
The yubihsm-shell tool can talk to a YubiHSM 2 device either over USB or over the network using the HTTP plugin. In the case of communication over the network, the server side is typically a yubishm-connector process, which in turn talks to the YubiHSM. The protocol is not protected by TLS by default, although the sessions are established cryptographically between the application and the YubiHSM 2 using a symmetric mutual authentication scheme that is both encrypted and authenticated.
A maliciously-crafted YubiHSM 2 device, or someone with access to the HTTP traffic between a client and device as well as the secrets needed to properly generate a valid MAC, could cause the yubihsm connector to crash.
The latest source code release of yubihsm-shell can be found here. The latest version of the YubiHSM2 SDK, which contains binaries for yubihsm-shell for most common platforms, can be found here.
On December 14, 2020, Christian Reitter notified Yubico of the security issue. He then notified Yubico of the variant on February 14, 2021. We thank Christian Reitter for reporting both and working with us under coordinated vulnerability disclosure.
Yubico has rated these issues as Moderate. Both have a CVSS score of 4.4
December 14, 2020 Christian Reitter reports initial issue to Yubico February 14, 2021 Christian Reitter reports the second variant to Yubico March 4, 2021 Security Advisory is published May, 11, 2021 Security Advisory is updated with second variant CVE and details