Main Vulnerability Database Vulnerabilities #VU96776

Observable discrepancy in Yubico products - #VU96776

Published: September 4, 2024

Vulnerability identifier: #VU96776

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-203

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Yubico

Affected software:
YubiKey 5 Series
Security Key Series
YubiKey Bio Series
YubiHSM

Detailed vulnerability description

The vulnerability allows an attacker to recover an ECDSA private key.

The vulnerability exists due to observable discrepancy within the Infineon’s cryptographic library used by the YubiKey 5 Series and Security Key Series firmware. An attacker with physical access to the token can perform a side-channel attack to recover the ECDSA private key and compromise the hardware token.

Remediation

Install updates from vendor's website.

Sources

https://www.yubico.com/support/security-advisories/ysa-2024-03
https://support.yubico.com/hc/en-us/articles/15705749884444-Infineon-ECDSA-Private-Key-Recovery-Customer-Resources

Observable discrepancy in Yubico products - #VU96776

Detailed vulnerability description

Remediation

Sources

Please verify you're human