CVE-2021-28484: 
Linux Fedora vulnerability analysis and mitigation

The yubihsm-connector utility, which provides an HTTP interface for interacting with a YubiHSM 2, contained a vulnerability (CVE-2021-28484) that was discovered on March 8, 2021, and patched on April 14, 2021. The vulnerability affected all versions up to and including 3.0.0 of the connector utility, which was distributed as part of the YubiHSM 2 SDK 2021.03 release (Yubico Advisory).

The vulnerability stemmed from the yubihsm-connector's failure to properly validate request lengths before forwarding them to the YubiHSM 2 device. When receiving HTTP POST requests to the /api/connector endpoint with 0-2 bytes of data in the request body, the connector would enter an infinite loop with no exit condition. This occurred because the YubiHSM 2 would not send any response to commands less than three bytes, while the connector used a locking mechanism to ensure no additional commands were sent until receiving a response for the previous request (Yubico Advisory).

The vulnerability could lead to a denial of service condition where the yubihsm-connector would become stuck in a loop waiting for the YubiHSM to send data, preventing any further operations until the connector was restarted. This affected multiple components in the YubiHSM 2 SDK ecosystem, including the yubihsm-shell, the PKCS#11 library (yubihsm_pkcs11), and the YubiHSM Key Storage Provider (KSP) for Windows (Yubico Advisory).

The vulnerability was fixed in version 3.0.1 of yubihsm-connector. For systems unable to update immediately, Yubico recommended two mitigation strategies: 1) Implementing mutual TLS authentication with an HTTP proxy and reconfiguring the connector to only accept requests from that proxy, or 2) Placing servers with yubihsm-connector on a separate network segment with restricted access (Yubico Advisory).