Main Vulnerability Database Vulnerabilities #VU29614

Improper access control in YubiKey 5 NFC - CVE-2020-15001

Published: July 9, 2020 / Updated: July 15, 2020

Vulnerability identifier: #VU29614

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2020-15001

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
YubiKey 5 NFC

Software vendor:
Yubico

Description

The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the access code is not checked when updating NFC-specific components of the OTP configurations. An attacker with physical can bypass implemented security restrictions and perform possible changes to the NDEF prefix as well as which slot is presented over NFC without an access code check.

Note: This vulnerability affects the following versions of YubiKey 5 NFC:

5.0.0 to 5.2.6
5.3.0 to 5.3.1

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

https://www.yubico.com/support/security-advisories/ysa-2020-04

Improper access control in YubiKey 5 NFC - CVE-2020-15001

Description

Remediation

External links

Please verify you're human