CVE-2021-32489 MEDIUM

CVE-2021-32489

Vendor N/A
Product n/a
Published May 10, 2021
Last update August 3, 2024

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AC:H/AV:N/A:H/C:N/I:N/PR:H/S:U/UI:N

What the vulnerability does

01Description

An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device because response_msg.st.len=8 can be accepted but triggers an integer overflow, which causes CRYPTO_cbc128_decrypt (in OpenSSL) to encounter an undersized buffer and experience a segmentation fault. The yubihsm-shell project is included in the YubiHSM 2 SDK product.

Key dates

02Disclosure timeline

May 10, 2021 CVE published
August 3, 2024 Record updated