Security Advisory YSA-2021-01 – Tailored Denial of Service Issues in yubihsm-shell Published Date: 2021-03-04 Tracking IDs: YSA-2021-01 CVEs: CVE-2021-27217, CVE-2021-32489 Summary The yubihsm library, included in the yubihsm-shell project, does not properly validate the length of authenticated messages during device communication. A maliciously-crafted YubiHSM 2 device, or someone with access to traffic between the HSM and yubihsm library, could cause the yubihsm library to fail with a “Not enough space” error and unpredictably crash. Affected Products The yubihsm-shell project is included in the YubiHSM 2 SDK product. Version 2.0.3 and prior of the SDK are affected. Several components included in the SDK depend on the yubihsm library from the yubihsm-shell project. How to Tell If You Are Affected Check the version of yubihsm-shell: If you have version 2.0.3 or below, you are affected and should upgrade. Customer Actions Mitigation Affected parties should upgrade yubihsm-shell by installing the latest version of the YubiHSM2 SDK. Mutually authenticated TLS should be used. YubiHSM devices should also be used with internal USB slots. Issue Details The issue was discovered in the function of yubihsm-shell version 2.0.3 and prior. A second vulnerability was found in the function of yubihsm-shell through 2.0.3. The yubihsm-shell tool can talk to a YubiHSM 2 device over USB or network using the HTTP plugin. Downloads The latest source code release of yubihsm-shell can be found here. The latest version of the YubiHSM2 SDK can be found here. Acknowledgements Christian Reitter notified Yubico of the security issue on December 14, 2020. Severity Yubico rated these issues as Moderate with a CVSS score of 4.4. Timeline December 14, 2020: Initial issue reported to Yubico. February 14, 2021: Second variant reported. March 4, 2021: Security Advisory published. May 11, 2021: Security Advisory updated with second variant details.