Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-45678

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.

Published

2024-09-03T20:15:08.860

Last Modified

2025-03-17T18:15:18.033

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.2 (MEDIUM)

Weaknesses

Type: Primary
CWE-203
Type: Secondary
CWE-203

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	yubico	yubikey_5c_nfc_firmware	< 5.7	Yes
Hardware	yubico	yubikey_5c_nfc	-	No
Operating System	yubico	yubikey_5_nfc_firmware	< 5.7	Yes
Hardware	yubico	yubikey_5_nfc	-	No
Operating System	yubico	yubikey_5c_firmware	< 5.7	Yes
Hardware	yubico	yubikey_5c	-	No
Operating System	yubico	yubikey_5_nano_firmware	< 5.7	Yes
Hardware	yubico	yubikey_5_nano	-	No
Operating System	yubico	yubikey_5c_nano_firmware	< 5.7	Yes
Hardware	yubico	yubikey_5c_nano	-	No
Operating System	yubico	yubikey_5ci_firmware	< 5.7	Yes
Hardware	yubico	yubikey_5ci	-	No
Operating System	yubico	yubikey_5_nfc_fips_firmware	< 5.7	Yes
Hardware	yubico	yubikey_5_nfc_fips	-	No
Operating System	yubico	yubikey_5c_nfc_fips_firmware	< 5.7	Yes
Hardware	yubico	yubikey_5c_nfc_fips	-	No
Operating System	yubico	yubikey_5c_fips_firmware	< 5.7	Yes
Hardware	yubico	yubikey_5c_fips	-	No
Operating System	yubico	yubikey_5_nano_fips_firmware	< 5.7	Yes
Hardware	yubico	yubikey_5_nano_fips	-	No
Operating System	yubico	yubikey_5c_nano_fips_firmware	< 5.7	Yes
Hardware	yubico	yubikey_5c_nano_fips	-	No
Operating System	yubico	yubikey_5ci_fips_firmware	< 5.7	Yes
Hardware	yubico	yubikey_5ci_fips	-	No
Operating System	yubico	yubikey_c_bio_firmware	< 5.7.2	Yes
Hardware	yubico	yubikey_c_bio	-	No
Operating System	yubico	yubikey_bio_firmware	< 5.7.2	Yes
Hardware	yubico	yubikey_bio	-	No
Operating System	yubico	security_key_nfc_by_yubico_firmware	< 5.7	Yes
Hardware	yubico	security_key_nfc_by_yubico	-	No
Operating System	yubico	security_key_c_nfc_by_yubico_firmware	< 5.7	Yes
Hardware	yubico	security_key_c_nfc_by_yubico	-	No
Operating System	yubico	yubihsm_2_fips_firmware	< 2.4.0	Yes
Hardware	yubico	yubihsm_2_fips	2.2	No
Operating System	yubico	yubihsm_2_firmware	< 2.4.0	Yes
Hardware	yubico	yubihsm_2	2.3.2	No

References

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/ Press/Media Coverage ([email protected])
https://news.ycombinator.com/item?id=41434500 Issue Tracking ([email protected])
https://ninjalab.io/eucleak/ Third Party Advisory ([email protected])
https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf Technical Description ([email protected])
https://support.yubico.com/hc/en-us/articles/15705749884444 Mitigation, Third Party Advisory ([email protected])
https://www.yubico.com/support/security-advisories/ysa-2024-03/ Vendor Advisory ([email protected])