CVE-2024-45678

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45678
Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.

4.2 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.5 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/ Press/Media Coverage
https://news.ycombinator.com/item?id=41434500 Issue Tracking
https://ninjalab.io/eucleak/ Third Party Advisory
https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf Technical Description
https://support.yubico.com/hc/en-us/articles/15705749884444 Mitigation Third Party Advisory
https://www.yubico.com/support/security-advisories/ysa-2024-03/ Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:yubico:yubikey_5c_nfc_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_nfc:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:yubico:yubikey_5_nfc_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nfc:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:yubico:yubikey_5c_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:yubico:yubikey_5_nano_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nano:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:yubico:yubikey_5c_nano_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_nano:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:yubico:yubikey_5ci_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5ci:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:yubico:yubikey_5_nfc_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nfc_fips:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:yubico:yubikey_5c_nfc_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_nfc_fips:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:yubico:yubikey_5c_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_fips:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:yubico:yubikey_5_nano_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nano_fips:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:yubico:yubikey_5c_nano_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_nano_fips:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:yubico:yubikey_5ci_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5ci_fips:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:yubico:yubikey_c_bio_firmware:*:*:*:*:fido:*:*:*
cpe:2.3:h:yubico:yubikey_c_bio:-:*:*:*:fido:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:yubico:yubikey_bio_firmware:*:*:*:*:fido:*:*:*
cpe:2.3:h:yubico:yubikey_bio:-:*:*:*:fido:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:yubico:security_key_nfc_by_yubico_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:security_key_nfc_by_yubico:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
cpe:2.3:o:yubico:security_key_c_nfc_by_yubico_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:security_key_c_nfc_by_yubico:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
cpe:2.3:o:yubico:yubihsm_2_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubihsm_2_fips:2.2:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:yubico:yubihsm_2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubihsm_2:2.3.2:*:*:*:*:*:*:*
History

12 Sep 2024, 20:07

Type Values Removed Values Added
References () https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/ - () https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/ - Press/Media Coverage
References () https://news.ycombinator.com/item?id=41434500 - () https://news.ycombinator.com/item?id=41434500 - Issue Tracking
References () https://ninjalab.io/eucleak/ - () https://ninjalab.io/eucleak/ - Third Party Advisory
References () https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf - () https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf - Technical Description
References () https://support.yubico.com/hc/en-us/articles/15705749884444 - () https://support.yubico.com/hc/en-us/articles/15705749884444 - Mitigation, Third Party Advisory
References () https://www.yubico.com/support/security-advisories/ysa-2024-03/ - () https://www.yubico.com/support/security-advisories/ysa-2024-03/ - Vendor Advisory
CWE CWE-203
CPE cpe:2.3:o:yubico:yubikey_5_nano_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nano_fips:-:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_nano_fips:-:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_bio_firmware:*:*:*:*:fido:*:*:*
cpe:2.3:h:yubico:yubihsm_2:2.3.2:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_5c_nfc_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_5c_nano_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5ci_fips:-:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_nfc:-:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nfc:-:*:*:*:*:*:*:*
cpe:2.3:h:yubico:security_key_c_nfc_by_yubico:-:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_c_bio_firmware:*:*:*:*:fido:*:*:*
cpe:2.3:h:yubico:yubikey_5c_nfc_fips:-:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_nano:-:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_5ci_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_5_nfc_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_fips:-:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_5_nano_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_5c_nfc_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_5c_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5ci:-:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_5c_nano_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_5c_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubihsm_2_fips:2.2:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_c_bio:-:*:*:*:fido:*:*:*
cpe:2.3:h:yubico:security_key_nfc_by_yubico:-:*:*:*:*:*:*:*
cpe:2.3:o:yubico:security_key_c_nfc_by_yubico_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_5ci_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c:-:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nano:-:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubihsm_2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nfc_fips:-:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubihsm_2_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:yubico:security_key_nfc_by_yubico_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:yubico:yubikey_5_nfc_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_bio:-:*:*:*:fido:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.2
First Time Yubico yubikey Bio Firmware
Yubico yubikey 5c
Yubico security Key C Nfc By Yubico Firmware
Yubico yubikey 5ci Fips
Yubico yubikey 5 Nano Fips Firmware
Yubico yubikey 5ci
Yubico
Yubico yubikey 5c Nano Fips
Yubico yubihsm 2 Fips Firmware
Yubico security Key C Nfc By Yubico
Yubico yubikey 5 Nano Fips
Yubico yubikey 5 Nfc
Yubico yubikey C Bio Firmware
Yubico yubikey 5c Nfc Firmware
Yubico yubihsm 2 Fips
Yubico yubikey 5ci Fips Firmware
Yubico yubikey 5c Nano
Yubico yubikey 5c Nfc
Yubico yubikey Bio
Yubico security Key Nfc By Yubico
Yubico yubikey 5 Nfc Fips
Yubico yubikey 5c Nano Fips Firmware
Yubico yubikey 5c Fips Firmware
Yubico yubikey 5c Nfc Fips Firmware
Yubico yubikey 5 Nano
Yubico yubikey 5c Nfc Fips
Yubico yubikey 5 Nfc Fips Firmware
Yubico security Key Nfc By Yubico Firmware
Yubico yubikey 5c Firmware
Yubico yubikey 5c Fips
Yubico yubihsm 2
Yubico yubikey 5ci Firmware
Yubico yubikey 5c Nano Firmware
Yubico yubihsm 2 Firmware
Yubico yubikey C Bio
Yubico yubikey 5 Nano Firmware
Yubico yubikey 5 Nfc Firmware

04 Sep 2024, 13:05

Type Values Removed Values Added
Summary
  • (es) Los dispositivos Yubico YubiKey 5 Series con firmware anterior a la versión 5.7.0 y los dispositivos YubiHSM 2 con firmware anterior a la versión 2.4.0 permiten un ataque de extracción de clave secreta ECDSA (que requiere acceso físico y equipo costoso) en el que está presente un canal lateral electromagnético debido a una inversión modular de tiempo no constante para el algoritmo euclidiano extendido, también conocido como el problema EUCLEAK. También pueden verse afectados otros usos de una librería criptográfica de Infineon.

03 Sep 2024, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-03 20:15

Updated : 2024-09-12 20:07

NVD link : CVE-2024-45678

Mitre link : CVE-2024-45678

CVE.ORG link : CVE-2024-45678

JSON object : View

Products Affected

yubico

  • yubikey_5_nfc_fips
  • yubikey_5c_nfc_firmware
  • yubihsm_2_fips
  • yubikey_5c_nfc_fips
  • yubikey_5_nano_firmware
  • security_key_nfc_by_yubico_firmware
  • yubikey_5ci_fips_firmware
  • yubikey_5c
  • yubikey_5c_nano_firmware
  • yubikey_5_nano_fips
  • yubihsm_2_firmware
  • yubikey_5c_nfc_fips_firmware
  • yubikey_5_nano
  • yubikey_5ci
  • yubihsm_2
  • yubihsm_2_fips_firmware
  • yubikey_c_bio
  • security_key_c_nfc_by_yubico_firmware
  • yubikey_5ci_fips
  • security_key_c_nfc_by_yubico
  • yubikey_5_nfc
  • yubikey_5c_nano_fips
  • yubikey_5c_fips
  • yubikey_bio_firmware
  • yubikey_c_bio_firmware
  • yubikey_bio
  • yubikey_5c_fips_firmware
  • security_key_nfc_by_yubico
  • yubikey_5ci_firmware
  • yubikey_5c_firmware
  • yubikey_5c_nano
  • yubikey_5_nano_fips_firmware
  • yubikey_5_nfc_firmware
  • yubikey_5_nfc_fips_firmware
  • yubikey_5c_nano_fips_firmware
  • yubikey_5c_nfc
CWE
CWE-203

Observable Discrepancy