CVE-2020-15000

A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known value upon initialization. If the retry counter for the Reset Code is set to non-zero without changing the Reset Code, this known value can be used to reset the User PIN. To set the retry counters, the Admin PIN is required.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:yubico:yubikey_5_nfc_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nfc:-:*:*:*:*:*:*:*

History

21 Nov 2024, 05:04

Type Values Removed Values Added
References () https://www.yubico.com/support/security-advisories/ysa-2020-05/ - Mitigation, Vendor Advisory () https://www.yubico.com/support/security-advisories/ysa-2020-05/ - Mitigation, Vendor Advisory

Information

Published : 2020-07-09 18:15

Updated : 2024-11-21 05:04


NVD link : CVE-2020-15000

Mitre link : CVE-2020-15000

CVE.ORG link : CVE-2020-15000


JSON object : View

Products Affected

yubico

  • yubikey_5_nfc
  • yubikey_5_nfc_firmware