Yubico has released a mitigation for an interesting pair of bugs in its YubiKey Validation Server, one of which could be used by an attacker to replay one-time passwords in some situations.
The vulnerabilities do not affect the YubiCloud hosted service or the hardware Yubikeys that are used for two-factor authentication. Rather, the bugs lie in the Validation Server, an open-source project that implements the Yubico API protocol and enables organizations to validate one-time passwords (OTP). The server can be used by enterprises or developers to build their own self-hosted OTP validation services.
The two weaknesses affect two of the four API endpoints that can be exposed by the YubiKey Validation Server, the verify and sync endpoints.
“By default, the verify endpoint is the only API exposed without an IP whitelist. YubiKey Validation Server does not have sufficient input validation implemented in the verify and sync APIs. Insufficient input validation could allow an attacker to perform SQL injection attacks. The level of impact of the SQL injection varies depending on the configuration of the YubiKey Validation Server instance,” Yubico said in its advisory.
“Verify performs basic validation on all fields prior to executing database queries but does not check length. An attacker could abuse this issue by submitting a large entry to be input into the database, which could cause a denial of service.”
In the other scenario, an attacker may be able to replay one-time passwords by adding an allowed IP address to the pool of addresses that the Validation Server will sync with.
“Sync does not perform consistent validation on received parameters prior to executing database queries. However, only sources that are defined in the YKVAL_ALLOWED_SYNC_POOL are allowed to call the sync API, which limits the exposure of this issue. The default configuration does not define any allowed sources for the sync API, meaning all attempts to call the sync API will be denied,” the advisory says.
“YubiKey Validation Server implementers may add IP addresses to the sync pool to enable syncing between multiple validation servers. An attacker with an allowed IP address could potentially use this vulnerability to replay an OTP.”
Yubico has published an updated version of the Validation Server that contains a mitigation for the vulnerabilities, and the next major release of the server software is expected in July.