Security Advisory YSA-2021-03 | Yubico

A security update for pam-u2f resolves a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence touch or cryptographic signature verification to be bypassed, so an attacker would still need to...

Cloning Google Titan 2FA keys

This is a clever side-channel attack: The cloning works by using a hot air gun and a scalpel to remove the plastic key casing and expose the NXP A700X chip, which acts as a secure element that stores the cryptographic secrets. Next, an attacker connects the chip to hardware and software that take...

New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys

Hardware security keys—such as those from Google and Yubico—are considered the most secure means to protect accounts from phishing and takeover attacks. But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication 2FA device can clone it...

CVE-2021-3011

An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access and consequently produce a...

Fido U2f Security Breach

Fido U2f is an authentication protocol from the Fido organization based on standard public key cryptography techniques primarily used for smart card authentication. A security vulnerability exists in Fido U2f that could allow an attacker to extract the ECDSA private key after extensive physical...

openSUSE Security Update : opera (openSUSE-2020-1172)

This update for opera fixes the following issues : - Update to version 70.0.3728.71 - DNA-86267 Make Recently closed tabs appearance consistent with Search for open tabs. - DNA-86988 Opera 70 translations - DNA-87530 Zen news leads not loading - DNA-87636 Fix displaying folder icon for closed...

openSUSE Security Update : opera (openSUSE-2020-1148)

This update for opera fixes the following issues : - Update to version 70.0.3728.71 - DNA-86267 Make Recently closed tabs appearance consistent with Search for open tabs. - DNA-86988 Opera 70 translations - DNA-87530 Zen news leads not loading - DNA-87636 Fix displaying folder icon for closed...

Yubico YubiKey 5 NFC Information Disclosure Vulnerability

Yubico YubiKey 5 NFC is a multi-protocol secret key device supporting NFC Near Field Communication functionality from the Swedish company Yubico. An information disclosure vulnerability exists in the Yubico YubiKey 5 NFC versions 5.0.0 through 5.2.6 and 5.3.0 through 5.3.1. The vulnerability can ...

CVE-2020-15001

An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked whe...

CVE-2020-15001

An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked whe...

Design/Logic Flaw

An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked whe...

CVE-2020-15000

A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known...

CVE-2020-15000

A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known...

Design/Logic Flaw

A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known...

CVE-2020-15001

CVE-2020-15001 affects Yubico YubiKey 5 NFC, specifically firmware versions 5.0.0–5.2.6 and 5.3.0–5.3.1. The OTP application allows optional access codes on OTP slots, but the access code is not checked when updating NFC-specific OTP configurations. As a result, an attacker could read configured ...

CVE-2020-15001

An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked whe...

CVE-2020-15000

The CVE-2020-15000 entry describes a PIN management flaw in Yubico YubiKey 5 devices (versions 5.2.0–5.2.6) where a Reset Code is set to a known value at initialization due to a flaw in OpenPGP. If the Reset Code retry counter is enabled (non-zero) without changing the Reset Code, this known valu...

CVE-2020-15000

A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known...

YubiKey - Less critical - Access bypass - SA-CONTRIB-2020-023

This module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token. The module doesn't sufficiently implement login flood control when the module is configured for YubiKey OTP...

Debian: Security Advisory (DLA-2141-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...