CVE-2021-43399
Description
Yubico yubihsm-shell 2021.08 and prior contains a stack-buffer overflow via an SSH certificate signing request due to missing input-length validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Yubico yubihsm-shell 2021.08 and prior contains a stack-buffer overflow via an SSH certificate signing request due to missing input-length validation.
Vulnerability
The Yubico yubihsm-shell project (included in the YubiHSM 2 SDK), version 2021.08 and earlier, contains a stack-based buffer overflow in the yh_com_sign_ssh_certificate() function of libyubihsm. When the -a sign-ssh-certificate command-line action is invoked, the tool reads an SSH certificate file into a fixed buf[] buffer of 8192 bytes without properly validating the input length field of the provided data. This causes an out-of-bounds write if the crafted input exceeds the buffer size [1][2].
Exploitation
An attacker needs to be able to supply a malicious SSH certificate file to the yubihsm-shell tool via the command line (e.g., by convincing a user or an automated process to process a crafted input). No authentication or elevated privileges are required beyond local or remote access to the input data. The attacker crafts an SSH signing request with an oversized length field, which is then copied to the stack buffer, triggering the overflow [1][2].
Impact
Successful exploitation can lead to a stack buffer overflow with attacker-controlled data. In the default build with runtime protections (e.g., stack canaries, ASLR), the overflow typically results in a crash (denial of service). On platforms without such mitigations, the attacker may achieve arbitrary code execution in the context of the yubihsm-shell process [1][2].
Mitigation
Yubico released a fixed version in the YubiHSM 2 SDK. Affected parties should upgrade to the latest version of the YubiHSM 2 SDK, which includes patched yubihsm-shell code. No workaround is available for the unpatched software. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Yubico YubiHSM/YubiHSM2 librarydescription
- Range: =2021.08
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing length validation in SSH signing request handling allows a stack-based buffer overflow when oversized data is copied from the YubiHSM 2 device response."
Attack vector
An attacker supplies a crafted SSH certificate request file (e.g., 4242 bytes as shown in the PoC) to the `yubihsm-shell` `sign-ssh-certificate` command. The program reads this file and passes it to the YubiHSM 2 device, which returns a response whose length exceeds the allocated stack buffer. The missing length validation causes a stack-based buffer overflow during `memcpy()` [ref_id=1]. The attacker must have enough privilege to place the malicious file on disk and convince a higher-privileged user (or automated system) to process it via the HSM CLI tool [ref_id=1].
Affected code
The vulnerability resides in the `yh_com_sign_ssh_certificate()` function within the yubihsm-shell project (version 2021.08). The function does not properly validate the length of SSH signing request data received from a YubiHSM 2 device before copying it into a fixed-size stack buffer.
What the fix does
The fix was released in yubihsm-shell version 2.3.0 (bundled in SDK release 2021.12) [ref_id=1]. The advisory does not include a patch diff, but the remediation adds proper length validation before the `memcpy()` operation in the SSH signing code path, preventing oversized responses from overflowing the stack buffer. Existing hardening flags (`-fstack-protector-all` and `-D_FORTIFY_SOURCE=2`) cause the program to terminate safely when the overflow is detected, limiting the impact to denial of service [ref_id=1].
Preconditions
- inputAttacker must be able to write a crafted SSH certificate request file to disk on the target system
- authA user (or automated process) must run yubihsm-shell with the sign-ssh-certificate command pointing to the attacker-controlled file
- configA YubiHSM 2 device must be connected and accessible via the yubihsm-shell connector
Reproduction
```bash # create a dummy input file with a problematic filesize dd if=/dev/zero bs=4242 count=1 of=example1.req # trigger the affected functionality sudo ./yubihsm-shell --connector=yhusb:// -v127 -p password -a sign-ssh-certificate --template-id 0x1234 --algorithm rsa-pkcs1-sha1 --in example1.req ```
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- blog.inhq.net/posts/yubico-yubihsm-shell-vuln3/mitrex_refsource_MISC
- www.yubico.com/support/security-advisories/ysa-2021-04/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.