====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN113
_____________________________________________________________________

DATE                : 06/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running YubiKey Validation Server versions
                               up to and including 2.39.

=====================================================================
https://www.yubico.com/support/security-advisories/ysa-2020-01/
_____________________________________________________________________

Security advisory 2020-03-03 – insufficient data validation in yubikey-val

Tracking ID: YSA-2020-01


Summary

Yubico received a report from LinkedIn Information Security indicating
there is insufficient data validation in the open-source project for
YubiKey Validation Server (git: yubikey-val). Yubico verified the issue
and has made a security update available to mitigate this issue and
enhance the validation of information sent to the APIs. The next major
release of the YubiKey Validation Server will become available by July
2020.

This issue potentially affects developers, partners, and customers who
have used a YubiKey Validation Server to build a self-hosted one-time
password (OTP) validation service. The default configuration of the
service only exposes the verify API, which could allow an attacker to
perform a denial of service, potentially preventing legitimate
authentications. Additionally, if the configuration has been modified to
expose the sync API, then this vulnerability could potentially be used
by an attacker to replay a previously used OTP.


Affected software

YubiKey Validation Server releases 2.39 and prior: available from
https://github.com/Yubico/yubikey-val


Affected Yubico devices and services

None. This advisory only pertains to the YubiKey Validation Server
project. It does not affect any  YubiKey Series, Security Key Series,
YubiKey firmware, or YubiCloud Service.


Customer actions

If you are managing an implementation of a YubiKey Validation Server,
update your deployment to version 2.40 of YubiKey Validation Server
(available https://github.com/Yubico/yubikey-val) to mitigate this
issue. Also confirm that the configuration of your service does not
unnecessarily expose API endpoints.


How to check your sync API configuration

    Go to your configuration script (ykval-config.php)
    Look for the following lines:

     $baseParams[‘__YKVAL_ALLOWED_SYNC_POOL__’] = array(

    // “1.2.3.4”,

    // “2.3.4.5”,

    // “3.4.5.6”,

    // “fc00:aaaa::”,

    // “fc00:bbbb::”,

    // “fc00:cccc::”,

    );

    If there are uncommented IP addresses listed in this array, then
these hosts are allowed to use your sync API, and interact with the
affected code. These IP addresses should be limited to nodes
participating in the sync pool.

    If there are no uncommented IP addresses listed in this array, then
no hosts are allowed to use the sync API.


Technical details

There are four API endpoints that can be exposed: verify, sync, resync,
and revoke. By default, the verify endpoint is the only API exposed
without an IP whitelist. YubiKey Validation Server does not have
sufficient input validation implemented in the verify and sync APIs.
Insufficient input validation could allow an attacker to perform SQL
injection attacks. The level of impact of the SQL injection varies
depending on the configuration of the YubiKey Validation Server
instance. Verify performs basic validation on all fields prior to
executing database queries but does not check length. An attacker could
abuse this issue by submitting a large entry to be input into the
database, which could cause a denial of service.

Sync does not perform consistent validation on received parameters prior
to executing database queries. However, only sources that are defined in
the __YKVAL_ALLOWED_SYNC_POOL__ are allowed to call the sync API, which
limits the exposure of this issue. The default configuration does not
define any allowed sources for the sync API, meaning all attempts to
call the sync API will be denied. YubiKey Validation Server implementers
may add IP addresses to the sync pool to enable syncing between multiple
validation servers. An attacker with an allowed IP address could
potentially use this vulnerability to replay an OTP.


Frequently asked questions

How do I sign up for security or product updates?


To sign up for security or product updates via email, visit our email
subscription page: https://pages.yubico.com/email_subscription.html


Is YubiCloud affected?

No, YubiCloud is not affected.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================