Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-39908: Security Advisory YSA-2023-01 - Yubico

The PKCS11 module of the YubiHSM 2 SDK through 2023.01 does not properly validate the length of specific read operations on object metadata. This may lead to disclosure of uninitialized and previously used memory.

CVE
Open in Source
#vulnerability#perl#auth

  • ****Security Advisory YSA-2023-01 – YubiHSM 2 SDK uninitialized memory read in the PKCS11 module****

    Published Date: 2023-08-14
    Tracking IDs: YSA-2023-01
    CVE: CVE-2023-39908
    CVSS 3.1: 4.4

    Summary

    The PKCS11 module of the YubiHSM 2 SDK does not properly validate the length of specific read operations on object metadata which may lead to disclosure of uninitialized and previously used memory.

    Affected products

    The affected component is the PKCS11 module of the YubiHSM 2 SDK product. Release version 2023.01 and prior of the SDK are affected.

    YubiHSM, YubiHSM 2, YubiKey 5 Series, YubiKey 4 Series, YubiKey FIPS Series, Security Key by Yubico Series, or previous generation YubiKey devices are not impacted.

    If you have yubihsm-shell version 2.4.0 (included in the YubiHSM 2 SDK 2023.01 release) or earlier, your software is packaged with the affected component and we recommend upgrading to the latest YubiHSM 2 SDK. This advisory only affects customers who have integrated the PKCS11 module of the YubiHSM 2 SDK into their software development. The functionality in yubihsm-shell binaries is unaffected by this advisory.

    How to tell if you are affected****Check the version of the YubiHSM 2 SDK:

    Validate the version returned by invoking the C_GetInfo function of the YubiHSM 2 SDK.

    Users of the PKCS11 module of the YubiHSM 2 SDK, versions 2023.01 and earlier are affected.

    Customer Actions

    Affected parties should upgrade yubihsm-shell by installing the latest version of YubiHSM 2 SDK.

    Issue Details

    An issue was discovered in the populate_template() function of the PKCS11 module of libyubihsm in YubiHSM 2 SDK version 2023.01 and earlier where up to 8192 bytes of previously used stack memory may be disclosed to the caller. An authenticated session with the YubiHSM2 is required for the function call to process.

    Reading of this uninitialized memory may lead to a disclosure of application memory, but does not affect secrets stored within the HSM.

    Binaries and releases from third parties integrating this PKCS11 functionality may be impacted differently based on the order of function calls, the data these functions process, and various stack alignment requirements of the operating processor architecture.

    Downloads

    The current release of the YubiHSM 2 SDK can be found here.

    Acknowledgements

    On May 18, 2023, Heiko Schäfer and Christian Reitter notified Yubico of this security issue. We thank them for reporting it and working with us under coordinated vulnerability disclosure.

    ****Timeline****

    May 18, 2023

    Issue is reported to Yubico

    August 14, 2023

    Yubico releases advisory YSA-2023-01

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE