CVE-2021-27217 - OpenCVE

An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:S/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Yubico	Yubihsm-shell

Configuration 1 [-]

cpe:2.3:a:yubico:yubihsm-shell:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://blog.inhq.net/posts/yubico-libyubihsm-vuln2
https://github.com/Yubico/yubihsm-shell/releases
https://www.yubico.com/support/security-advisories/ysa-2021-01/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-04T17:45:33

Updated: 2024-08-03T20:40:47.490Z

Reserved: 2021-02-15T00:00:00

Link: CVE-2021-27217

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-04T18:15:14.050

Modified: 2021-03-26T20:07:43.167

Link: CVE-2021-27217

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-16T16:27:17", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/Yubico/yubihsm-shell/releases"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.yubico.com/support/security-advisories/ysa-2021-01/"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.inhq.net/posts/yubico-libyubihsm-vuln2"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-27217", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Yubico/yubihsm-shell/releases", "refsource": "MISC", "url": "https://github.com/Yubico/yubihsm-shell/releases"}, {"name": "https://www.yubico.com/support/security-advisories/ysa-2021-01/", "refsource": "CONFIRM", "url": "https://www.yubico.com/support/security-advisories/ysa-2021-01/"}, {"name": "https://blog.inhq.net/posts/yubico-libyubihsm-vuln2", "refsource": "MISC", "url": "https://blog.inhq.net/posts/yubico-libyubihsm-vuln2"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:40:47.490Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Yubico/yubihsm-shell/releases"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.yubico.com/support/security-advisories/ysa-2021-01/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.inhq.net/posts/yubico-libyubihsm-vuln2"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-27217", "datePublished": "2021-03-04T17:45:33", "dateReserved": "2021-02-15T00:00:00", "dateUpdated": "2024-08-03T20:40:47.490Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yubico:yubihsm-shell:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F7C9BAC-A77B-4333-A29C-4EABAF1B7003", "versionEndIncluding": "2.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product."}, {"lang": "es", "value": "Se detect\u00f3 un problema en la funci\u00f3n _send_secure_msg() de Yubico yubihsm-shell versiones hasta de 2.0.3. La funci\u00f3n no comprueba correctamente el campo de longitud insertado de un mensaje autenticado recibido del dispositivo. Lecturas fuera de l\u00edmites llevadas a cabo por la funci\u00f3n aes_remove_padding() pueden bloquear el proceso en ejecuci\u00f3n, dependiendo del dise\u00f1o de la memoria. Esto podr\u00eda ser usado por un atacante para conllevar una denegaci\u00f3n de servicio del lado del cliente. El proyecto yubihsm-shell est\u00e1 incluido en el producto YubiHSM 2 SDK"}], "id": "CVE-2021-27217", "lastModified": "2021-03-26T20:07:43.167", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-04T18:15:14.050", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.inhq.net/posts/yubico-libyubihsm-vuln2"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/Yubico/yubihsm-shell/releases"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.yubico.com/support/security-advisories/ysa-2021-01/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}