Yubico YubiKey 5 Series ECDSA secret-key extraction attack vulnerability [CVE-2024-45678]
CVE number = CVE-2024-45678
Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue.
Other uses of an Infineon cryptographic library may also be affected.
Not Affected Products
YubiKey 5 Series version 5.7.0 and newer
YubiKey 5 FIPS Series 5.7 and newer (FIPS submission in process)
YubiKey Bio Series versions 5.7.2 and newer
Security Key Series versions 5.7.0 and newer
YubiHSM 2 versions 2.4.0 and newer
YubiHSM 2 FIPS versions 2.4.0 and newer
Affected
YubiKey 5 Series versions prior to 5.7
YubiKey 5 FIPS Series prior to 5.7
YubiKey 5 CSPN Series prior to 5.7
YubiKey Bio Series versions prior to 5.7.2
Security Key Series all versions prior to 5.7
YubiHSM 2 versions prior to 2.4.0
YubiHSM 2 FIPS versions prior to 2.4.0
How To Tell If You Are Affected
Identify YubiKey Version
To identify the YubiKey, use Yubico Authenticator to identify the model and version of the YubiKey. The series and model of the key will be listed in the upper left corner of the Home screen. In the following example, the YubiKey is a YubiKey 5C NFC version 5.7.0.
Further information – https://www.yubico.com/support/security-advisories/ysa-2024-03/
Blogger at www.systemtek.co.uk