Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-24584

Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server. The Yubico OTP supposedly creates hardware bound second factor credentials. When a user reprograms the OTP functionality by "writing" it on a token using the Yubico Personalization Tool, they can then upload the new configuration to Yubicos OTP validation servers. NOTE: the vendor disputes this because there is no way for a YubiKey device to prevent a user from deciding that a secret value, which is imported into the device, should also be stored elsewhere

Published

2022-05-11T18:15:23.973

Last Modified

2024-11-21T06:50:41.893

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	yubico	otp	-	Yes

References

https://demo.yubico.com/otp/verify Vendor Advisory ([email protected])
https://pastebin.com/7iLR1EbW Exploit, Third Party Advisory ([email protected])
https://pastebin.com/xAh8uV6J Third Party Advisory ([email protected])
https://upload.yubico.com/ Vendor Advisory ([email protected])
https://demo.yubico.com/otp/verify Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://pastebin.com/7iLR1EbW Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://pastebin.com/xAh8uV6J Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://upload.yubico.com/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)