Denial of Service Vulnerability in Yubico YubiHSM 2 SDK
CVE-2021-27217

4.4MEDIUM

Key Information:

Vendor

Yubico

Status
Yubihsm-shell
Vendor
CVE Published:
4 March 2021

What is CVE-2021-27217?

A flaw exists in the _send_secure_msg() function of the Yubico yubihsm-shell prior to version 2.0.3. This vulnerability arises from insufficient validation of the embedded length field in authenticated messages from the device. As a result, out-of-bounds reads may occur, potentially leading to crashes of the running process. An attacker could exploit this vulnerability to create a client-side denial of service, compromising the functionality of systems utilizing YubiHSM 2 SDK.

References

https://github.com/Yubico/yubihsm-shell/releases
x_refsource_MISC
https://www.yubico.com/support/security-advisories/ysa-20...
x_refsource_CONFIRM
https://blog.inhq.net/posts/yubico-libyubihsm-vuln2
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.