An issue was discovered in the _send_secure_msg() function of yubihsm-shell through 2.0.2. The function does not validate the embedded length field of a message received from the device. This could lead to an oversized memcpy() call that will crash the running process. This could be used by an attacker to cause a denial of service.
References
Link | Resource |
---|---|
https://blog.inhq.net/posts/yubico-libyubihsm-vuln/ | Exploit Third Party Advisory |
https://developers.yubico.com/yubihsm-shell/ | Vendor Advisory |
https://github.com/Yubico/yubihsm-shell | Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y77KQJW76M3PFOBFLBT6DLH2NWHYRNZO/ | |
https://www.yubico.com/support/security-advisories/ysa-2020-06/ | Vendor Advisory |
https://blog.inhq.net/posts/yubico-libyubihsm-vuln/ | Exploit Third Party Advisory |
https://developers.yubico.com/yubihsm-shell/ | Vendor Advisory |
https://github.com/Yubico/yubihsm-shell | Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y77KQJW76M3PFOBFLBT6DLH2NWHYRNZO/ | |
https://www.yubico.com/support/security-advisories/ysa-2020-06/ | Vendor Advisory |
Configurations
History
21 Nov 2024, 05:14
Type | Values Removed | Values Added |
---|---|---|
References | () https://blog.inhq.net/posts/yubico-libyubihsm-vuln/ - Exploit, Third Party Advisory | |
References | () https://developers.yubico.com/yubihsm-shell/ - Vendor Advisory | |
References | () https://github.com/Yubico/yubihsm-shell - Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y77KQJW76M3PFOBFLBT6DLH2NWHYRNZO/ - | |
References | () https://www.yubico.com/support/security-advisories/ysa-2020-06/ - Vendor Advisory |
07 Nov 2023, 03:19
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2020-10-19 20:15
Updated : 2024-11-21 05:14
NVD link : CVE-2020-24388
Mitre link : CVE-2020-24388
CVE.ORG link : CVE-2020-24388
JSON object : View
Products Affected
yubico
- yubihsm-shell
fedoraproject
- fedora