CVE-2021-32489

Name of the Vulnerable Software and Affected Versions: Yubico yubihsm-shell versions 2.0.0 through 2.0.3

Description: An issue was discovered in the send secure msg() function. The function does not correctly validate the embedded length field of an authenticated message received from the device, which can trigger an integer overflow. This causes CRYPTO cbc128 decrypt (in OpenSSL) to encounter an undersized buffer and experience a segmentation fault. The yubihsm-shell project is included in the YubiHSM 2 SDK product.

Recommendations: For versions 2.0.0 through 2.0.3, as a temporary workaround, consider disabling the send secure msg() function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.