CVE-2024-45678

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45678
Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.

4.2 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.5 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/ Press/Media Coverage
https://news.ycombinator.com/item?id=41434500 Issue Tracking
https://ninjalab.io/eucleak/ Third Party Advisory
https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf Technical Description
https://support.yubico.com/hc/en-us/articles/15705749884444 Mitigation Third Party Advisory
https://www.yubico.com/support/security-advisories/ysa-2024-03/ Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:yubico:yubikey_5c_nfc_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_nfc:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:yubico:yubikey_5_nfc_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nfc:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:yubico:yubikey_5c_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:yubico:yubikey_5_nano_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nano:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:yubico:yubikey_5c_nano_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_nano:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:yubico:yubikey_5ci_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5ci:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:yubico:yubikey_5_nfc_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nfc_fips:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:yubico:yubikey_5c_nfc_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_nfc_fips:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:yubico:yubikey_5c_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_fips:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:yubico:yubikey_5_nano_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5_nano_fips:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:yubico:yubikey_5c_nano_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5c_nano_fips:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:yubico:yubikey_5ci_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubikey_5ci_fips:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:yubico:yubikey_c_bio_firmware:*:*:*:*:fido:*:*:*
cpe:2.3:h:yubico:yubikey_c_bio:-:*:*:*:fido:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:yubico:yubikey_bio_firmware:*:*:*:*:fido:*:*:*
cpe:2.3:h:yubico:yubikey_bio:-:*:*:*:fido:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:yubico:security_key_nfc_by_yubico_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:security_key_nfc_by_yubico:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
cpe:2.3:o:yubico:security_key_c_nfc_by_yubico_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:security_key_c_nfc_by_yubico:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
cpe:2.3:o:yubico:yubihsm_2_fips_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubihsm_2_fips:2.2:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:yubico:yubihsm_2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:yubico:yubihsm_2:2.3.2:*:*:*:*:*:*:*
History

No history.

Information

Published : 2024-09-03 20:15

Updated : 2025-03-17 18:15

NVD link : CVE-2024-45678

Mitre link : CVE-2024-45678

CVE.ORG link : CVE-2024-45678

JSON object : View

Products Affected

yubico

  • yubikey_c_bio_firmware
  • yubikey_5c_nano_fips_firmware
  • security_key_c_nfc_by_yubico
  • yubikey_5c_nano_fips
  • security_key_nfc_by_yubico
  • yubikey_5c_nano
  • yubihsm_2_firmware
  • yubikey_c_bio
  • yubikey_5_nano
  • yubikey_5_nfc_fips_firmware
  • yubikey_5c_fips
  • yubikey_5c
  • yubikey_5_nfc_fips
  • yubihsm_2
  • yubikey_5_nfc
  • yubikey_bio
  • yubikey_5c_nfc_fips
  • yubikey_5c_nano_firmware
  • yubikey_5_nano_fips
  • yubikey_5ci_firmware
  • yubikey_5ci_fips_firmware
  • yubikey_5c_nfc
  • yubikey_5c_nfc_firmware
  • yubikey_5ci
  • yubikey_5_nano_firmware
  • yubikey_5_nano_fips_firmware
  • yubikey_5c_nfc_fips_firmware
  • yubihsm_2_fips_firmware
  • yubikey_5ci_fips
  • yubihsm_2_fips
  • yubikey_5c_fips_firmware
  • yubikey_5_nfc_firmware
  • security_key_c_nfc_by_yubico_firmware
  • yubikey_bio_firmware
  • yubikey_5c_firmware
  • security_key_nfc_by_yubico_firmware
CWE
CWE-203

Observable Discrepancy