Security Advisory YSA-2021-02
Security Advisory YSA-2021-02 – Denial of Service in yubihsm-connector
Published Date: 2021-04-14
Tracking IDs: YSA-2021-02
The yubihsm-connector utility provides a HTTP interface for interacting with a YubiHSM 2. This interface is used by many other components in the YubiHSM 2 SDK ecosystem, including the yubihsm-shell, the PKCS#11 library (yubihsm_pkcs11), and the YubiHSM Key Storage Provider (KSP) for Windows®.
yubihsm-connector did not properly validate the length of requests, which can lead to a state where it becomes stuck in a loop waiting for the YubiHSM to send it data, preventing any further operations from being performed until the connector is restarted.
The yubihsm-connector utility is included in the YubiHSM 2 SDK product. All previous versions, up to and including 3.0.0 of the connector utility are affected. Version 3.0.0 was distributed as a part of the YubiHSM 2 SDK 2021.03 release.
All YubiKey products and related software are not affected.
How to tell if you are affected
On the server(s) where the yubihsm-connector utility is deployed, run the command below to obtain the version of the connector.
$ yubihsm-connector version
If the version number is less than
3.0.1, you are affected and should follow the guidance in the Customer Actions section below.
All affected customers should update to the latest version of the yubihsm-connector utility from the YubiHSM 2 SDK Releases page. Furthermore, all affected customers should implement one or more of the mitigations below to ensure unauthorized parties cannot make requests to the connector.
By default, yubihsm-connector only listens for requests originating from the same computer (localhost) and is not accessible by other computers on the network. Thus, in its default configuration this condition is not remotely triggerable.
If the connector is configured to listen on the network and it is not possible to update the yubihsm-connector utility, the mitigations below can be used to prevent unauthorized access to the connector, which prevents the denial of service condition from being able to be triggered remotely.
Mutual TLS Authentication
If the connector must be exposed on the network, adding a HTTP proxy that supports mutual TLS authentication and reconfiguring the yubihsm-connector to only listen for requests from that proxy will prevent unauthorized clients from accessing the connector over the network.
If mutually authenticated TLS is infeasible, the server(s) with yubihsm-connector deployed should be placed on their own network segment. Access to this segment should be restricted to only the servers that need to use the connector to perform their functions.
The yubihsm-connector utility functions as a HTTP to USB proxy, and provides minimal abstractions over the lower level commands sent to the YubiHSM 2 device. This means that any program using the connector must understand the command format and send valid commands to the HTTP endpoint of the connector. All valid commands must be at least three bytes in length, with the first byte being the command id, the second and third being the length of the arguments for the command, and the remaining bytes being the arguments.
Prior to version 3.0.1 of yubihsm-connector, it did not check the length of the request before forwarding the request to the YubiHSM 2 device. Sending a HTTP POST request to the
/api/connector endpoint with 0 through 2 bytes of data in the request body would cause the connector to enter an infinite loop with no exit condition. This is because the YubiHSM 2 would not send any response to a command less than three bytes, and the connector uses a locking mechanism to ensure that no additional commands are sent to the YubiHSM until it has received a response for the previous request. This causes the yubihsm-connector utility to stop responding to all requests until it is restarted.
Aggregate Severity Rating
Yubico has rated this issue as High based on maximum security impact. The base CVSS score is 7.5.
|March 8, 2021||Issue is discovered by Yubico’s internal security team|
|April 14, 2021||YubiHSM SDK 2021.04 is released with a fix for the issue|
|April 14, 2021||Security advisory is published|