NewsSecurity Vulnerabilities

Yubico YubiKey 5 Series ECDSA secret-key extraction attack vulnerability [CVE-2024-45678]

CVE number = CVE-2024-45678

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue.

Other uses of an Infineon cryptographic library may also be affected.

Not Affected Products

YubiKey 5 Series version 5.7.0 and newer

YubiKey 5 FIPS Series 5.7 and newer (FIPS submission in process)

YubiKey Bio Series versions 5.7.2 and newer

Security Key Series versions 5.7.0 and newer

YubiHSM 2 versions 2.4.0 and newer

YubiHSM 2 FIPS versions 2.4.0 and newer

Affected

YubiKey 5 Series versions prior to 5.7

YubiKey 5 FIPS Series prior to 5.7

YubiKey 5 CSPN Series prior to 5.7

YubiKey Bio Series versions prior to 5.7.2

Security Key Series all versions prior to 5.7

YubiHSM 2 versions prior to 2.4.0

YubiHSM 2 FIPS versions prior to 2.4.0

How To Tell If You Are Affected

Identify YubiKey Version

To identify the YubiKey, use Yubico Authenticator to identify the model and version of the YubiKey. The series and model of the key will be listed in the upper left corner of the Home screen. In the following example, the YubiKey is a YubiKey 5C NFC version 5.7.0.

Further information – https://www.yubico.com/support/security-advisories/ysa-2024-03/

Luke Simmonds

Blogger at www.systemtek.co.uk

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.