• Security Advisory YSA-2021-02

    Security Advisory YSA-2021-02 – Denial of Service in yubihsm-connector

    Published Date: 2021-04-14
    Tracking IDs: YSA-2021-02
    CVE: CVE-2021-28484

    Summary

    The yubihsm-connector utility provides a HTTP interface for interacting with a YubiHSM 2. This interface is used by many other components in the YubiHSM 2 SDK ecosystem, including the yubihsm-shell, the PKCS#11 library (yubihsm_pkcs11), and the YubiHSM Key Storage Provider (KSP) for Windows®.

    yubihsm-connector did not properly validate the length of requests, which can lead to a state where it becomes stuck in a loop waiting for the YubiHSM to send it data, preventing any further operations from being performed until the connector is restarted.

    Affected products

    The yubihsm-connector utility is included in the YubiHSM 2 SDK product. All previous versions, up to and including 3.0.0 of the connector utility are affected. Version 3.0.0 was distributed as a part of the YubiHSM 2 SDK 2021.03 release.

    All YubiKey products and related software are not affected.

    How to tell if you are affected

    On the server(s) where the yubihsm-connector utility is deployed, run the command below to obtain the version of the connector.

    $ yubihsm-connector version

    If the version number is less than 3.0.1, you are affected and should follow the guidance in the Customer Actions section below.

    Customer Actions

    All affected customers should update to the latest version of the yubihsm-connector utility from the YubiHSM 2 SDK Releases page. Furthermore, all affected customers should implement one or more of the mitigations below to ensure unauthorized parties cannot make requests to the connector.

    Mitigations

    By default, yubihsm-connector only listens for requests originating from the same computer (localhost) and is not accessible by other computers on the network. Thus, in its default configuration this condition is not remotely triggerable.

    If the connector is configured to listen on the network and it is not possible to update the yubihsm-connector utility, the mitigations below can be used to prevent unauthorized access to the connector, which prevents the denial of service condition from being able to be triggered remotely.

    Mutual TLS Authentication

    If the connector must be exposed on the network, adding a HTTP proxy that supports mutual TLS authentication and reconfiguring the yubihsm-connector to only listen for requests from that proxy will prevent unauthorized clients from accessing the connector over the network.

    Network Segmentation

    If mutually authenticated TLS is infeasible, the server(s) with yubihsm-connector deployed should be placed on their own network segment. Access to this segment should be restricted to only the servers that need to use the connector to perform their functions.

    Technical Details

    Background

    The yubihsm-connector utility functions as a HTTP to USB proxy, and provides minimal abstractions over the lower level commands sent to the YubiHSM 2 device. This means that any program using the connector must understand the command format and send valid commands to the HTTP endpoint of the connector. All valid commands must be at least three bytes in length, with the first byte being the command id, the second and third being the length of the arguments for the command, and the remaining bytes being the arguments.

    Issue

    Prior to version 3.0.1 of yubihsm-connector, it did not check the length of the request before forwarding the request to the YubiHSM 2 device. Sending a HTTP POST request to the /api/connector endpoint with 0 through 2 bytes of data in the request body would cause the connector to enter an infinite loop with no exit condition. This is because the YubiHSM 2 would not send any response to a command less than three bytes, and the connector uses a locking mechanism to ensure that no additional commands are sent to the YubiHSM until it has received a response for the previous request. This causes the yubihsm-connector utility to stop responding to all requests until it is restarted.

    Aggregate Severity Rating

    Yubico has rated this issue as High based on maximum security impact. The base CVSS score is 7.5.

    Timeline

    March 8, 2021Issue is discovered by Yubico’s internal security team
    April 14, 2021YubiHSM SDK 2021.04 is released with a fix for the issue
    April 14, 2021Security advisory is published