• Security Advisory YSA-2021-04

    Security Advisory – Input validation issues in libyubihsm

    Published Date: 2021-12-08
    Tracking IDs: YSA-2021-04
    CVE: CVE-2021-43399
    CVSS 3.1: 4.0

    Summary

    The YubiHSM library that is included in the yubihsm-shell project, does not properly validate the length of some operations including SSH signing requests and some data operations received from the YubiHSM 2.

    Affected products

    The yubihsm-shell project is included in the YubiHSM 2 SDK product. Release version 2021.08 and prior of the SDK are affected. Note that several components included in the SDK depend on the YubiHSM library from the yubihsm-shell project. YubiHSM, YubiHSM 2, YubiKey 5 Series, YubiKey 4 Series, YubiKey FIPS Series, Security Key by Yubico Series, or previous generation YubiKey devices are not impacted.

    How to tell if you are affected

    Check the version of yubihsm-shell:

    $ yubihsm-shell --version
    yubihsm-shell 2.2.0

    If you have yubihsm-shell version 2.2.0 (included in the YubiHSM 2 SDK 2021.08 release) or below, your software is affected and we recommend upgrading to the latest YubiHSM 2 SDK.

    For users of the YubiHSM 2 SDK without yubihsm-shell, versions 2021.08 and below are affected.

    Customer Actions

    Affected parties should upgrade yubihsm-shell by installing the latest version of YubiHSM 2 SDK.

    Issue Details

    An issue was discovered in the yh_com_sign_ssh_certificate() function of libyubihsm in YubiHSM 2 SDK version 2021.08 and earlier. This function is invoked through both the ‘certify’ command in yubihsm-shell, and the “-a sign-ssh-certificate” command-line flag. The function does not correctly validate the input length field of the provided data buffer, which can lead to an out-of-bounds write. In the context of the yubihsm-shell, an out-of-bounds write will lead to a crash of the running process due to runtime protections in Yubico releases.

    Binaries and releases from third parties may be impacted differently if different runtime and platform mitigation strategies are used. 

    Boundary checks have been introduced in other areas of libyubihsm to increase the resilience of the logic that processes data from the YubiHSM.

    Downloads

    The current release of the YubiHSM 2 SDK, which contains binaries for yubihsm-shell for most common platforms, can be found here. The current source code release of yubihsm-shell can be found here.

    Acknowledgements

    On September 4, 2021, Christian Reitter notified Yubico of this security issue. We thank Christian Reitter for reporting it and working with us under coordinated vulnerability disclosure.

    Timeline

    September 4, 2021Christian Reitter reports issue to Yubico
    December 8, 2021Yubico releases advisory YSA-2021-04