CVE-2021-27217 - OpenCVE

An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product.

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:S/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Yubico	Yubihsm-shell

Configuration 1 [-]

cpe:2.3:a:yubico:yubihsm-shell:*:*:*:*:*:*:*:*

References

Link	Resource
https://blog.inhq.net/posts/yubico-libyubihsm-vuln2	Exploit Third Party Advisory
https://github.com/Yubico/yubihsm-shell/releases	Release Notes Third Party Advisory
https://www.yubico.com/support/security-advisories/ysa-2021-01/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-04T17:45:33

Updated: 2021-03-16T16:27:17

Reserved: 2021-02-15T00:00:00

Link: CVE-2021-27217

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-03-04T18:15:14.050

Modified: 2021-03-26T20:07:43.167

Link: CVE-2021-27217

JSON object: View

Redhat Information

No data.

CWE

CWE-125

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-16T16:27:17", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/Yubico/yubihsm-shell/releases"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.yubico.com/support/security-advisories/ysa-2021-01/"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.inhq.net/posts/yubico-libyubihsm-vuln2"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-27217", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Yubico/yubihsm-shell/releases", "refsource": "MISC", "url": "https://github.com/Yubico/yubihsm-shell/releases"}, {"name": "https://www.yubico.com/support/security-advisories/ysa-2021-01/", "refsource": "CONFIRM", "url": "https://www.yubico.com/support/security-advisories/ysa-2021-01/"}, {"name": "https://blog.inhq.net/posts/yubico-libyubihsm-vuln2", "refsource": "MISC", "url": "https://blog.inhq.net/posts/yubico-libyubihsm-vuln2"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-27217", "datePublished": "2021-03-04T17:45:33", "dateReserved": "2021-02-15T00:00:00", "dateUpdated": "2021-03-16T16:27:17", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yubico:yubihsm-shell:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F7C9BAC-A77B-4333-A29C-4EABAF1B7003", "versionEndIncluding": "2.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product."}, {"lang": "es", "value": "Se detect\u00f3 un problema en la funci\u00f3n _send_secure_msg() de Yubico yubihsm-shell versiones hasta de 2.0.3. La funci\u00f3n no comprueba correctamente el campo de longitud insertado de un mensaje autenticado recibido del dispositivo. Lecturas fuera de l\u00edmites llevadas a cabo por la funci\u00f3n aes_remove_padding() pueden bloquear el proceso en ejecuci\u00f3n, dependiendo del dise\u00f1o de la memoria. Esto podr\u00eda ser usado por un atacante para conllevar una denegaci\u00f3n de servicio del lado del cliente. El proyecto yubihsm-shell est\u00e1 incluido en el producto YubiHSM 2 SDK"}], "id": "CVE-2021-27217", "lastModified": "2021-03-26T20:07:43.167", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-04T18:15:14.050", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.inhq.net/posts/yubico-libyubihsm-vuln2"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/Yubico/yubihsm-shell/releases"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.yubico.com/support/security-advisories/ysa-2021-01/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}