HackerSecret.com – The Most Authoritative Site in the World on the Hacking Tools and Techniques, Penetration Testing and CyberSecurity

Yubico is replacing for free YubiKey FIPS devices due to security weakness

Yubico is replacing YubiKey FIPS security keys due to a serious flaw that makes cryptographic operations easier to crack under specific conditions.

Yubico is replacing YubiKey FIPS security keys due to a serious issue that flaw that makes it easier to crack RSA keys and ECDSA signatures generated on these devices.

The security advisory published by the company states that the issue impacts YubiKey series devices running versions 4.4.2 and 4.4.4 of the firmware. The weakness impacts PIV smart card applications, Universal 2nd Factor (U2F) authentication, OATH one-time passwords, and OpenPGP. Nano FIPS, C FIPS and C Nano FIPS devices are also impacted by the weakness.

“An issue exists in the YubiKey FIPS Series devices with firmware version 4.4.2 or 4.4.4 (there is no released firmware version 4.4.3) where random values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up,” reads the advisory published by Yubico.

“The issue only affects certain use cases and scenarios. YubiKey FIPS applications utilizing ECDSA are at higher risk than other use cases.”

Some YubiKey FIPS applications leverage on ransom values that contain reduced randomness for the first operations performed after devices power-up.

“The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted,” continues the advisory.

Yubico discovered the flaw in March and addressed it with the release of the firmware version 4.4.5 that was certified at the end of April.

At the time, there is no news of attacks exploiting the issue in the wild.

Yubico is contacting its customers to inform them of the free device replacement. The company said that most of the affected security keys have already been replaced or are in the process of being replaced.

People who bought their devices from a reseller should contact them and ask for the drives replacement.

Pierluigi Paganini

(SecurityAffairs – Yubico, hacking)

The post Yubico is replacing for free YubiKey FIPS devices due to security weakness appeared first on Security Affairs.

Security Affairs

Are you looking for products for hacking, cybersecurity, and penetration testing? Do you need to cleanse your smartphone, PC, or website from viruses and malware? Do you need to track down a person or recover urgent information? Do you need to regain control of an account, email, or password that has been stolen from you? Interested in purchasing pre-configured devices to easily and quickly experiment with hacking techniques? Do you have specific requirements in software or hardware? We can assist you!

Contact us immediately for immediate assistance: provide us with details via email or WhatsApp about the type of support you need, and we will respond you promptly!

Fill out and submit the form below to send us an immediate support request

Write your email address here

Write here how we can help you – we provide immediate support for all your needs!

, , , , , , ,
Send us a WhatsApp!