Integer Overflow Vulnerability in Yubico YubiHSM 2 SDK
CVE-2021-32489

4.4MEDIUM

Key Information:

Vendor: Yubico
Status: Yubihsm-shell
Vendor: CVE Published:; 10 May 2021

What is CVE-2021-32489?

An integer overflow vulnerability has been discovered in the '_send_secure_msg()' function of Yubico's yubihsm-shell, which is part of the YubiHSM 2 SDK. This issue arises when the function fails to properly validate the embedded length field of an authenticated message coming from the device. Specifically, an accepted response message with a length of 8 can lead to an integer overflow, causing the CRYPTO_cbc128_decrypt function in OpenSSL to operate on an undersized buffer, which in turn results in a segmentation fault. This flaw poses potential risks for applications utilizing Yubico’s solutions for secure message processing.

References

https://blog.inhq.net/posts/yubico-libyubihsm-vuln2/#seco...

x_refsource_MISC

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 10, 2021
Vulnerability Reserved
May 10, 2021