• Security Advisory YSA-2023-01

    Security Advisory YSA-2023-01 – YubiHSM 2 SDK uninitialized memory read in the PKCS11 module

    Published Date: 2023-08-14
    Tracking IDs: YSA-2023-01
    CVE: CVE-2023-39908
    CVSS 3.1: 4.4

    Summary

    The PKCS11 module of the YubiHSM 2 SDK does not properly validate the length of specific read operations on object metadata which may lead to disclosure of uninitialized and previously used memory.

    Affected products

    The affected component is the PKCS11 module of the YubiHSM 2 SDK product. Release version 2023.01 of the SDK is affected.

    YubiHSM, YubiHSM 2, YubiKey 5 Series, YubiKey 4 Series, YubiKey FIPS Series, Security Key by Yubico Series, or previous generation YubiKey devices are not impacted.

    If you have yubihsm-shell version 2.4.0 (included in the YubiHSM 2 SDK 2023.01 release), your software is packaged with the affected component and we recommend upgrading to the latest YubiHSM 2 SDK. This advisory only affects customers who have integrated the PKCS11 module of the YubiHSM 2 SDK into their software development. The functionality in yubihsm-shell binaries is unaffected by this advisory.

    How to tell if you are affected

    Check the version of the YubiHSM 2 SDK:

    Validate the version returned by invoking the C_GetInfo function of the YubiHSM 2 SDK. 

    Users of the PKCS11 module of the YubiHSM 2 SDK, versions 2023.01 are affected.

    Customer Actions

    Affected parties should upgrade yubihsm-shell by installing the latest version of YubiHSM 2 SDK.

    Issue Details

    An issue was discovered in the populate_template() function of the PKCS11 module of libyubihsm in YubiHSM 2 SDK version 2023.01 where up to 8192 bytes of previously used stack memory may be disclosed to the caller. An authenticated session with the YubiHSM2 is required for the function call to process. 

    Reading of this uninitialized memory may lead to a disclosure of application memory, but does not affect secrets stored within the HSM. 

    Binaries and releases from third parties integrating this PKCS11 functionality may be impacted differently based on the order of function calls, the data these functions process, and various stack alignment requirements of the operating processor architecture. 

    Downloads

    The current release of the YubiHSM 2 SDK can be found here.

    Note:
    The first publishing of this advisory incorrectly stated that affected versions of the YubiHSM 2 SDK were 2023.01 and earlier. This has been corrected as the only vulnerable version is 2023.01.

    Acknowledgements

    On May 18, 2023, Heiko Schäfer and Christian Reitter notified Yubico of this security issue. We thank them for reporting it and working with us under coordinated vulnerability disclosure.

    Timeline

    May 18, 2023Issue is reported to Yubico
    August 14, 2023Yubico releases advisory YSA-2023-01
    August 15, 2023Noted correction for affected versions