{ "document" : { "aggregate_severity" : { "text" : "mittel" }, "category" : "csaf_base", "csaf_version" : "2.0", "distribution" : { "tlp" : { "label" : "WHITE", "url" : "https://www.first.org/tlp/" } }, "lang" : "de-DE", "notes" : [ { "category" : "legal_disclaimer", "text" : "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen." }, { "category" : "description", "text" : "Die YubiKey Produktfamilie bietet Lösungen für eine Zwei-Faktor-Authentisierung.", "title" : "Produktbeschreibung" }, { "category" : "summary", "text" : "Ein Angreifer mit physischem Zugriff kann eine Schwachstelle in Yubico YubiKey ausnutzen, um Informationen offenzulegen.", "title" : "Angriff" }, { "category" : "general", "text" : "- Hardware Appliance", "title" : "Betroffene Betriebssysteme" } ], "publisher" : { "category" : "other", "contact_details" : "csaf-provider@cert-bund.de", "name" : "Bundesamt für Sicherheit in der Informationstechnik", "namespace" : "https://www.bsi.bund.de" }, "references" : [ { "category" : "self", "summary" : "WID-SEC-W-2024-2048 - CSAF Version", "url" : "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-2048.json" }, { "category" : "self", "summary" : "WID-SEC-2024-2048 - Portal Version", "url" : "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-2048" }, { "category" : "external", "summary" : "Yubico Security Advisory vom 2024-09-03", "url" : "https://www.yubico.com/support/security-advisories/ysa-2024-03/" } ], "source_lang" : "en-US", "title" : "Yubico YubiKey: Schwachstelle ermöglicht Klonen von Signaturschlüsseln", "tracking" : { "current_release_date" : "2024-12-01T23:00:00.000+00:00", "generator" : { "date" : "2024-12-02T11:33:59.946+00:00", "engine" : { "name" : "BSI-WID", "version" : "1.3.8" } }, "id" : "WID-SEC-W-2024-2048", "initial_release_date" : "2024-09-03T22:00:00.000+00:00", "revision_history" : [ { "date" : "2024-09-03T22:00:00.000+00:00", "number" : "1", "summary" : "Initiale Fassung" }, { "date" : "2024-09-04T22:00:00.000+00:00", "number" : "2", "summary" : "Vulname eingetragen" }, { "date" : "2024-09-19T22:00:00.000+00:00", "number" : "3", "summary" : "Gegenmaßnahmen Text angepasst" }, { "date" : "2024-12-01T23:00:00.000+00:00", "number" : "4", "summary" : "Prüfung Produkteintragung" } ], "status" : "final", "version" : "4" } }, "product_tree" : { "branches" : [ { "branches" : [ { "branches" : [ { "category" : "product_version_range", "name" : "<2.4.0", "product" : { "name" : "Yubico YubiHSM <2.4.0", "product_id" : "T037273" } }, { "category" : "product_version", "name" : "2.4.0", "product" : { "name" : "Yubico YubiHSM 2.4.0", "product_id" : "T037273-fixed", "product_identification_helper" : { "cpe" : "cpe:/h:yubico:yubihsm:2.4.0" } } }, { "category" : "product_version_range", "name" : "<2.4.0 FIPS", "product" : { "name" : "Yubico YubiHSM <2.4.0 FIPS", "product_id" : "T037274" } }, { "category" : "product_version", "name" : "2.4.0 FIPS", "product" : { "name" : "Yubico YubiHSM 2.4.0 FIPS", "product_id" : "T037274-fixed", "product_identification_helper" : { "cpe" : "cpe:/h:yubico:yubihsm:2.4.0::fips" } } } ], "category" : "product_name", "name" : "YubiHSM" }, { "branches" : [ { "category" : "product_version_range", "name" : "5 Series <5.7", "product" : { "name" : "Yubico YubiKey 5 Series <5.7", "product_id" : "T037268" } }, { "category" : "product_version", "name" : "5 Series 5.7", "product" : { "name" : "Yubico YubiKey 5 Series 5.7", "product_id" : "T037268-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:yubico:yubikey:5_series__5.7" } } }, { "category" : "product_version_range", "name" : "5 FIPS <5.7", "product" : { "name" : "Yubico YubiKey 5 FIPS <5.7", "product_id" : "T037269" } }, { "category" : "product_version", "name" : "5 FIPS 5.7", "product" : { "name" : "Yubico YubiKey 5 FIPS 5.7", "product_id" : "T037269-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:yubico:yubikey:5_fips__5.7" } } }, { "category" : "product_version_range", "name" : "5 CSPN <5.7", "product" : { "name" : "Yubico YubiKey 5 CSPN <5.7", "product_id" : "T037270" } }, { "category" : "product_version", "name" : "5 CSPN 5.7", "product" : { "name" : "Yubico YubiKey 5 CSPN 5.7", "product_id" : "T037270-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:yubico:yubikey:5_cspn__5.7" } } }, { "category" : "product_version_range", "name" : "Bio Series <5.7.2", "product" : { "name" : "Yubico YubiKey Bio Series <5.7.2", "product_id" : "T037271" } }, { "category" : "product_version", "name" : "Bio Series 5.7.2", "product" : { "name" : "Yubico YubiKey Bio Series 5.7.2", "product_id" : "T037271-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:yubico:yubikey:bio_series__5.7.2" } } } ], "category" : "product_name", "name" : "YubiKey" } ], "category" : "vendor", "name" : "Yubico" } ] }, "vulnerabilities" : [ { "notes" : [ { "category" : "description", "text" : "Es besteht eine Schwachstelle in Yubico YubiKey. Dieser Fehler wird durch eine Schwäche in der kryptographischen Bibliothek von Infineon verursacht, die es einem Angreifer mit physischem Besitz des YubiKey ermöglicht, private Schlüssel wiederherzustellen. Ein Angreifer mit physischem Zugriff kann diese Schwachstelle ausnutzen, um Schlüssel mit elliptischen Kurven zu duplizieren, was unter normalen Bedingungen nicht möglich sein sollte. Um die Schwachstelle erfolgreich ausnutzen zu können, sind Kenntnisse über die Zielkonten - einschließlich der Authentifizierungsinformationen - und spezielle Geräte zur Durchführung des Angriffs erforderlich." } ], "product_status" : { "known_affected" : [ "T037271", "T037273", "T037274", "T037270", "T037268", "T037269" ] }, "release_date" : "2024-09-03T22:00:00.000+00:00" } ] }