Yubikey Security Advisory YSA-2024-03 Infineon Ecdsa Private Key Recovery
Yubico issued a security advisory about a vulnerability in Infineon’s cryptographic library affecting YubiKey and YubiHSM devices. Users should update firmware and enhance physical security measures to mitigate risks.
Read original article
A security advisory (YSA-2024-03) has been issued by Yubico regarding a vulnerability in Infineon’s cryptographic library, affecting several YubiKey and YubiHSM models with firmware versions prior to 5.7.0 and 2.4.0, respectively. The vulnerability, rated with a CVSS score of 4.9, allows an attacker with physical access to the devices to potentially recover private keys through sophisticated attacks. This primarily impacts FIDO use cases, as the affected functionality is integral to the FIDO standard. Other applications, such as YubiKey PIV and OpenPGP, may also be at risk depending on user configurations. Yubico has since removed the dependency on Infineon’s library in favor of its own cryptographic solutions to enhance security. Users are advised to check their device versions and consider mitigation strategies, such as using RSA signing keys and adjusting identity provider settings to reduce exposure. The advisory highlights the importance of physical security and the need for organizations to implement additional authentication measures to safeguard against potential exploits.
- A vulnerability in Infineon's cryptographic library affects YubiKey and YubiHSM devices with outdated firmware.
- The vulnerability allows attackers with physical access to recover private keys, primarily impacting FIDO use cases.
- Yubico has transitioned to its own cryptographic library to mitigate risks associated with the vulnerability.
- Users are encouraged to update their devices and implement additional security measures.
- The advisory emphasizes the importance of physical security in protecting sensitive authentication keys.
Related
Compromising the Secure Boot Process
Researchers from Binarly revealed a security vulnerability in the Secure Boot process affecting over 200 device models due to a leaked cryptographic key, raising concerns about potential cyberattacks and security practices.
Secure Boot useless on PCs from major vendors after key leak
A study by Binarily found that hundreds of PCs from major manufacturers are vulnerable due to a leaked 12-year-old test platform key, allowing attackers to bypass Secure Boot protections.
Major Backdoor in RFID Cards Allows Instant Cloning
A security vulnerability in RFID cards from Shanghai Fudan Microelectronics allows instant cloning, affecting MIFARE Classic cards used globally. Organizations are urged to assess their security against potential supply chain attacks.
The Yubikey Is the Digital Seatbelt We Need
The article advocates for stronger cybersecurity through hardware security keys like Yubikeys, urging legislative action and investigation by the Massachusetts Attorney General to protect sensitive data in critical sectors.
EUCLEAK Side-Channel Attack on the YubiKey 5 Series
A study revealed a side-channel vulnerability in Infineon Technologies' cryptographic library, affecting YubiKey 5 Series devices below firmware 5.7. A patch exists, but certification is pending.
4 commentsThey don't allow FW upgrades for dubious reasons, and they aren't issuing replacements? It's so sad that the OSS alternatives are so lacking.
Maybe time to pickup a Precursor and start taking this all a bit more seriously.
Related
Compromising the Secure Boot Process
Researchers from Binarly revealed a security vulnerability in the Secure Boot process affecting over 200 device models due to a leaked cryptographic key, raising concerns about potential cyberattacks and security practices.
Secure Boot useless on PCs from major vendors after key leak
A study by Binarily found that hundreds of PCs from major manufacturers are vulnerable due to a leaked 12-year-old test platform key, allowing attackers to bypass Secure Boot protections.
Major Backdoor in RFID Cards Allows Instant Cloning
A security vulnerability in RFID cards from Shanghai Fudan Microelectronics allows instant cloning, affecting MIFARE Classic cards used globally. Organizations are urged to assess their security against potential supply chain attacks.
The Yubikey Is the Digital Seatbelt We Need
The article advocates for stronger cybersecurity through hardware security keys like Yubikeys, urging legislative action and investigation by the Massachusetts Attorney General to protect sensitive data in critical sectors.
EUCLEAK Side-Channel Attack on the YubiKey 5 Series
A study revealed a side-channel vulnerability in Infineon Technologies' cryptographic library, affecting YubiKey 5 Series devices below firmware 5.7. A patch exists, but certification is pending.