CVE-2021-43399 – This vulnerability in Yubico's YubiHSM2 library... (How to Fix)

Q: What is the severity of CVE-2021-43399?

CVE-2021-43399 has a CVSS score of 7.5 (HIGH). This vulnerability in Yubico's YubiHSM2 library allows buffer overflow attacks by not properly validating input lengths for SSH signing and data operations. Attackers could potentially execute arbitrary code or cause denial of service on systems using YubiHSM 2 hardware security modules. Organizations using YubiHSM 2 devices with the vulnerable library are affected.

📋 TL;DR

This vulnerability in Yubico's YubiHSM2 library allows buffer overflow attacks by not properly validating input lengths for SSH signing and data operations. Attackers could potentially execute arbitrary code or cause denial of service on systems using YubiHSM 2 hardware security modules. Organizations using YubiHSM 2 devices with the vulnerable library are affected.

💻 Affected Systems

Products:

Yubico YubiHSM2 library
yubihsm-shell

Versions: 2021.08 and earlier versions

Operating Systems: All platforms supported by YubiHSM2

Default Config Vulnerable: ⚠️ Yes

Notes: Requires YubiHSM 2 hardware device to be present and accessible. The vulnerability is in the client library, not the HSM firmware itself.

📦 What is this software?

Yubihsm 2 Software Development Kit by Yubico

View all CVEs affecting Yubihsm 2 Software Development Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete compromise of the HSM functionality, potentially allowing extraction of cryptographic keys or manipulation of secure operations.

🟠

Likely Case

Denial of service causing the YubiHSM device to crash or become unresponsive, disrupting cryptographic operations and services relying on it.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only affecting availability of HSM services.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires network access to the yubihsm-shell service and ability to send malformed requests. Technical details and proof-of-concept are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2021.11 or later

Vendor Advisory: https://www.yubico.com/support/security-advisories/ysa-2021-04/

Restart Required: Yes

Instructions:

1. Update yubihsm-shell to version 2021.11 or later. 2. Restart any services using the YubiHSM2 library. 3. Verify the update was successful by checking the version.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to yubihsm-shell services to only trusted administrative networks

iptables -A INPUT -p tcp --dport 12345 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 12345 -j DROP

Access Control

all

Implement strict authentication and authorization controls for yubihsm-shell access

🧯 If You Can't Patch

Implement strict network segmentation to isolate YubiHSM management interfaces
Monitor for unusual yubihsm-shell activity and implement rate limiting on connections

🔍 How to Verify

Check if Vulnerable:

Check yubihsm-shell version: yubihsm-shell --version

Check Version:

yubihsm-shell --version

Verify Fix Applied:

Verify version is 2021.11 or later and test SSH signing operations with malformed input

📡 Detection & Monitoring

Log Indicators:

Multiple failed SSH signing attempts
yubihsm-shell process crashes
Unusual length parameters in HSM operations

Network Indicators:

Unusual traffic patterns to yubihsm-shell port
Multiple connection attempts with varying payload sizes

SIEM Query:

source="yubihsm-shell" AND (error OR crash OR "invalid length")

📊 Metadata

CVE ID: CVE-2021-43399

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: December 8, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.inhq.net/posts/yubico-yubihsm-shell-vuln3/ Exploit,Third Party Advisory
https://www.yubico.com/support/security-advisories/ysa-2021-04/ Vendor Advisory
https://blog.inhq.net/posts/yubico-yubihsm-shell-vuln3/ Exploit,Third Party Advisory
https://www.yubico.com/support/security-advisories/ysa-2021-04/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43399, you might also want to check these: