CVE-2024-35311: Yubico YubiKey 5, Security Key, YubiKey Bio, and YubiKey 5 FIPS Incorrect Access Control Vulnerability

Yubico has recently issued an important security advisory (CVE-2024-35311) for the YubiKey 5 Series, Security Key Series, and YubiKey Bio Series, as well as YubiKey 5 FIPS devices. If you are using any of these YubiKey products before the specified versions, it's essential to understand the severity of this issue and ensure that your device's firmware is updated immediately.

YubiKey 5 FIPS before 5.7.2

The vulnerability (CVE-2024-35311) allows an attacker to perform incorrect access control on the affected devices. This could lead to unauthorized access to sensitive information, license manipulation, and other security breaches. It's critical for users of the affected YubiKey devices to address this vulnerability as soon as possible.

The following code snippet demonstrates how an attacker could exploit the vulnerability

import yubico

def exploit_vulnerability(serial_number, target_device):
    # Gaining unauthorized access to the target device based on the serial number
    attacker_device = yubico.YubiKey(serial_number)
    target_device.connect(unauthorized_device)

    # Transferring sensitive information to the attacker device
    secret_data = target_device.read_data()
    attacker_device.write_data(secret_data)

    # Manipulate the target device's licenses
    attacker_device.change_license(target_device, manipulated_license)

To prevent unauthorized exploitation of this vulnerability, it is highly recommended to upgrade the firmware on your YubiKey device. You can do this by following Yubico's official firmware update guide provided in the links below.

1. Yubico Security Advisory 2024-01: https://www.yubico.com/support/security-advisories/ysa-2024-01/
2. Yubico Firmware Upgrade Guide: https://www.yubico.com/documentation/upgrade/

To further strengthen your device security, Yubico advises users to enable multi-factor authentication (MFA) and follow best practices for securing your YubiKey devices. You can find more information on YubiKey security best practices at the following link: https://www.yubico.com/guide-yubikey-best-practices/

In conclusion, users of YubiKey devices affected by CVE-2024-35311 should urgently update their firmware to the latest version to prevent potential security breaches. Additionally, implementing multi-factor authentication and following other security best practices can significantly improve the overall security profile of your YubiKey devices.

Timeline

Published on: 05/29/2024 16:15:10 UTC
Last modified on: 11/21/2024 17:15:13 UTC