CVE-2024-45678

Sept. 12, 2024, 8:07 p.m.

4.2
Medium

Description

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.

Product(s) Impacted

Vendor Product Versions
Yubico
  • Yubikey 5c Nfc Firmware
  • Yubikey 5c Nfc
  • Yubikey 5 Nfc Firmware
  • Yubikey 5 Nfc
  • Yubikey 5c Firmware
  • Yubikey 5c
  • Yubikey 5 Nano Firmware
  • Yubikey 5 Nano
  • Yubikey 5c Nano Firmware
  • Yubikey 5c Nano
  • Yubikey 5ci Firmware
  • Yubikey 5ci
  • Yubikey 5 Nfc Fips Firmware
  • Yubikey 5 Nfc Fips
  • Yubikey 5c Nfc Fips Firmware
  • Yubikey 5c Nfc Fips
  • Yubikey 5c Fips Firmware
  • Yubikey 5c Fips
  • Yubikey 5 Nano Fips Firmware
  • Yubikey 5 Nano Fips
  • Yubikey 5c Nano Fips Firmware
  • Yubikey 5c Nano Fips
  • Yubikey 5ci Fips Firmware
  • Yubikey 5ci Fips
  • Yubikey C Bio Firmware
  • Yubikey C Bio
  • Yubikey Bio Firmware
  • Yubikey Bio
  • Security Key Nfc By Yubico Firmware
  • Security Key Nfc By Yubico
  • Security Key C Nfc By Yubico Firmware
  • Security Key C Nfc By Yubico
  • Yubihsm 2 Fips Firmware
  • Yubihsm 2 Fips
  • Yubihsm 2 Firmware
  • Yubihsm 2
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • 2.2
  • *
  • 2.3.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-203
Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o yubico yubikey_5c_nfc_firmware / / / / / / / /
h yubico yubikey_5c_nfc - / / / / / / /
o yubico yubikey_5_nfc_firmware / / / / / / / /
h yubico yubikey_5_nfc - / / / / / / /
o yubico yubikey_5c_firmware / / / / / / / /
h yubico yubikey_5c - / / / / / / /
o yubico yubikey_5_nano_firmware / / / / / / / /
h yubico yubikey_5_nano - / / / / / / /
o yubico yubikey_5c_nano_firmware / / / / / / / /
h yubico yubikey_5c_nano - / / / / / / /
o yubico yubikey_5ci_firmware / / / / / / / /
h yubico yubikey_5ci - / / / / / / /
o yubico yubikey_5_nfc_fips_firmware / / / / / / / /
h yubico yubikey_5_nfc_fips - / / / / / / /
o yubico yubikey_5c_nfc_fips_firmware / / / / / / / /
h yubico yubikey_5c_nfc_fips - / / / / / / /
o yubico yubikey_5c_fips_firmware / / / / / / / /
h yubico yubikey_5c_fips - / / / / / / /
o yubico yubikey_5_nano_fips_firmware / / / / / / / /
h yubico yubikey_5_nano_fips - / / / / / / /
o yubico yubikey_5c_nano_fips_firmware / / / / / / / /
h yubico yubikey_5c_nano_fips - / / / / / / /
o yubico yubikey_5ci_fips_firmware / / / / / / / /
h yubico yubikey_5ci_fips - / / / / / / /
o yubico yubikey_c_bio_firmware / / / / fido / / /
h yubico yubikey_c_bio - / / / fido / / /
o yubico yubikey_bio_firmware / / / / fido / / /
h yubico yubikey_bio - / / / fido / / /
o yubico security_key_nfc_by_yubico_firmware / / / / / / / /
h yubico security_key_nfc_by_yubico - / / / / / / /
o yubico security_key_c_nfc_by_yubico_firmware / / / / / / / /
h yubico security_key_c_nfc_by_yubico - / / / / / / /
o yubico yubihsm_2_fips_firmware / / / / / / / /
h yubico yubihsm_2_fips 2.2 / / / / / / /
o yubico yubihsm_2_firmware / / / / / / / /
h yubico yubihsm_2 2.3.2 / / / / / / /

References

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/
https://news.ycombinator.com/item?id=41434500
https://ninjalab.io/eucleak/
https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf
https://support.yubico.com/hc/en-us/articles/15705749884444
https://www.yubico.com/support/security-advisories/ysa-2024-03/

Tags

cve@mitre.org
CWE-203
2024-09-03
CVE-2024-45678

CVSS Score

4.2 / 10

CVSS Data - 3.1

  • Attack Vector: PHYSICAL
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

    View Vector String

Timeline

Published: Sept. 3, 2024, 8:15 p.m.
Last Modified: Sept. 12, 2024, 8:07 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.