StoredSafe Security Advisory 2020-03-10 – Insufficient Data Validation in yubikey-val¶
We where notified by YubiCo on 2020-03-03 on a security advisory affecting our customers.
StoredSafe is bundling and using the YubiKey Validation Server (https://github.com/Yubico/yubikey-val),
which, due to insufficient length validation, an attacker could abuse by submitting
a large entry to be input into the database, which could cause a denial of service.
Of the four API endpoints that can be exposed, verify, sync, resync, and revoke, StoredSafe only
uses the verify API endpoint, and is hence not vulnerable to attacks on the other (sync, resync
and revoke) endpoints.
StoredSafe has verified the issue and has made a security update available, incorporating YubiCo
security fixes to mitigate the problem.
The fixed and signed ISO is available on https://tracker.storedsafe.com as version 2.0.5 build 6074.
If you have questions or concerns, don't hesitate to contact us by email or phone.
More information from YubiCo:
Security advisory 2020-03-03 – insufficient data validation in yubikey-val