Security Advisory YSA-2021-01

Security Advisory YSA-2021-01 – Tailored Denial of Service Issues in yubihsm-shell

Published Date: 2021-03-04

Tracking IDs: YSA-2021-01

CVE: CVE-2021-27217

Summary

The yubihsm library, included in the yubihsm-shell project, does not properly validate the length of authenticated messages during device communication. A maliciously-crafted YubiHSM 2 device, or someone with access to traffic between the HSM and yubihsm library, could cause the yubihsm library to fail with a “Not enough space” error and unpredictably crash.

Affected products

The yubihsm-shell project is included in the YubiHSM 2 SDK product. Version 2.0.3 and prior of the SDK are affected. Note that several components included in the SDK depend on the yubihsm library from the yubihsm-shell project. No YubiKey 5 Series, YubiKey 4 Series, YubiKey FIPS Series, Security Key by Yubico Series, or previous generation YubiKey devices are impacted.

How to tell if you are affected

Check the version of yubihsm-shell:

$ yubihsm-shell --version

yubihsm-shell 2.0.3

If you have version 2.0.3 or below it means you are affected and we recommend upgrading to the latest YubiHSM2 SDK.

Customer Actions

Mitigation

Affected parties should upgrade yubihsm-shell by installing the latest version of YubiHSM2 SDK.

Mutually authenticated TLS should be used to prevent an adversary from gaining access to communication between the YubiHSM device and client software. YubiHSM devices should also be used with internal USB slots and in computers with appropriate physical and environmental controls to mitigate threats requiring physical access to the YubiHSM.

Issue Details

An issue was discovered in the _send_secure_msg() function of yubihsm-shell version 2.0.3 and prior. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out of bounds reads performed by aes_remove_padding() can crash the running process depending on the memory layout. An attacker with either physical access to the YubiHSM or the ability to modify communication from the YubiHSM could use the vulnerability to cause a denial of service in the client software.

The yubihsm-shell tool can talk to a YubiHSM 2 device either over USB or over the network using the HTTP plugin. In the case of communication over the network, the server side is typically a yubishm-connector process, which in turn talks to the YubiHSM. The protocol is not protected by TLS by default, although the sessions are established cryptographically between the application and the YubiHSM 2 using a symmetric mutual authentication scheme that is both encrypted and authenticated.

A maliciously-crafted YubiHSM 2 device, or someone with access to the HTTP traffic between a client and device as well as the secrets needed to properly generate a valid MAC, could cause the yubihsm connector to crash.

Downloads

The latest source code release of yubihsm-shell can be found here. The latest version of the YubiHSM2 SDK, which contains binaries for yubihsm-shell for most common platforms, can be found here.

Acknowledgements

On December 14, 2020, Christian Reitter notified Yubico of this security issue. We thank Christian Reitter for reporting it and working with us under coordinated vulnerability disclosure.

Severity

Yubico has rated this issue as Moderate. It has a CVSS score of 4.4

Timeline

December 14, 2020Christian Reitter reports issue to Yubico
March 4, 2021Security Advisory is published