Today > 1 Critical | 15 High | 10 Medium vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-45678

Sept. 12, 2024, 8:07 p.m.

Tags

cve@mitre.org
CWE-203
2024-09-03
CVE-2024-45678

CVSS Score

4.2 / 10

Products Impacted

Vendor Product Versions
yubico
  • yubikey_5c_nfc_firmware
  • yubikey_5c_nfc
  • yubikey_5_nfc_firmware
  • yubikey_5_nfc
  • yubikey_5c_firmware
  • yubikey_5c
  • yubikey_5_nano_firmware
  • yubikey_5_nano
  • yubikey_5c_nano_firmware
  • yubikey_5c_nano
  • yubikey_5ci_firmware
  • yubikey_5ci
  • yubikey_5_nfc_fips_firmware
  • yubikey_5_nfc_fips
  • yubikey_5c_nfc_fips_firmware
  • yubikey_5c_nfc_fips
  • yubikey_5c_fips_firmware
  • yubikey_5c_fips
  • yubikey_5_nano_fips_firmware
  • yubikey_5_nano_fips
  • yubikey_5c_nano_fips_firmware
  • yubikey_5c_nano_fips
  • yubikey_5ci_fips_firmware
  • yubikey_5ci_fips
  • yubikey_c_bio_firmware
  • yubikey_c_bio
  • yubikey_bio_firmware
  • yubikey_bio
  • security_key_nfc_by_yubico_firmware
  • security_key_nfc_by_yubico
  • security_key_c_nfc_by_yubico_firmware
  • security_key_c_nfc_by_yubico
  • yubihsm_2_fips_firmware
  • yubihsm_2_fips
  • yubihsm_2_firmware
  • yubihsm_2
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • 2.2
  • *
  • 2.3.2

Description

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.

Weaknesses

CWE-203
Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

CWE ID: 203

Date

Published: Sept. 3, 2024, 8:15 p.m.

Last Modified: Sept. 12, 2024, 8:07 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

CPEs

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o yubico yubikey_5c_nfc_firmware / / / / / / / /
h yubico yubikey_5c_nfc - / / / / / / /
o yubico yubikey_5_nfc_firmware / / / / / / / /
h yubico yubikey_5_nfc - / / / / / / /
o yubico yubikey_5c_firmware / / / / / / / /
h yubico yubikey_5c - / / / / / / /
o yubico yubikey_5_nano_firmware / / / / / / / /
h yubico yubikey_5_nano - / / / / / / /
o yubico yubikey_5c_nano_firmware / / / / / / / /
h yubico yubikey_5c_nano - / / / / / / /
o yubico yubikey_5ci_firmware / / / / / / / /
h yubico yubikey_5ci - / / / / / / /
o yubico yubikey_5_nfc_fips_firmware / / / / / / / /
h yubico yubikey_5_nfc_fips - / / / / / / /
o yubico yubikey_5c_nfc_fips_firmware / / / / / / / /
h yubico yubikey_5c_nfc_fips - / / / / / / /
o yubico yubikey_5c_fips_firmware / / / / / / / /
h yubico yubikey_5c_fips - / / / / / / /
o yubico yubikey_5_nano_fips_firmware / / / / / / / /
h yubico yubikey_5_nano_fips - / / / / / / /
o yubico yubikey_5c_nano_fips_firmware / / / / / / / /
h yubico yubikey_5c_nano_fips - / / / / / / /
o yubico yubikey_5ci_fips_firmware / / / / / / / /
h yubico yubikey_5ci_fips - / / / / / / /
o yubico yubikey_c_bio_firmware / / / / fido / / /
h yubico yubikey_c_bio - / / / fido / / /
o yubico yubikey_bio_firmware / / / / fido / / /
h yubico yubikey_bio - / / / fido / / /
o yubico security_key_nfc_by_yubico_firmware / / / / / / / /
h yubico security_key_nfc_by_yubico - / / / / / / /
o yubico security_key_c_nfc_by_yubico_firmware / / / / / / / /
h yubico security_key_c_nfc_by_yubico - / / / / / / /
o yubico yubihsm_2_fips_firmware / / / / / / / /
h yubico yubihsm_2_fips 2.2 / / / / / / /
o yubico yubihsm_2_firmware / / / / / / / /
h yubico yubihsm_2 2.3.2 / / / / / / /

CVSS Data

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

Base Score
4.2
Exploitability Score
0.5
Impact Score
3.6
Base Severity
MEDIUM
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

https://arstechnica.com/ cve@mitre.org
https://news.ycombinator.com/ cve@mitre.org
https://ninjalab.io/ cve@mitre.org
https://ninjalab.io/ cve@mitre.org
https://support.yubico.com/ cve@mitre.org
https://www.yubico.com/ cve@mitre.org