YSA-2025-02 | Yubico

A low severity issue has been identified in YubiKeys versions 5.4.1 through 5.7.3 in the FIDO CTAP PIN/UV Auth Protocol Two implementation. These YubiKey versions use the 16 byte signature length from CTAP PIN/UV Auth Protocol One during the verification step, even when the 32 byte CTAP PIN/UV Au...

Security Bulletin: A Security Vulnerability was discovered in IBM Security Verify Access (CVE-2024-45678)

Summary A Security Vulnerability was addressed in IBM Security Verify Access regarding Yubico Yubikey 5 Series. Vulnerability Details CVEID:CVE-2024-45678 DESCRIPTION: Yubico YubiKey 5 Series, Security Key Series and YubiHSM 2 could allow a physical attacker to obtain sensitive information, cause...

[SECURITY] Fedora 40 Update: pam-u2f-1.3.2-1.fc40

The PAM U2F module provides an easy way to integrate the Yubikey or other U2F-compliant authenticators into your existing user authentication infrastructure...

[SECURITY] Fedora 41 Update: pam-u2f-1.3.2-1.fc41

The PAM U2F module provides an easy way to integrate the Yubikey or other U2F-compliant authenticators into your existing user authentication infrastructure...

DEBIAN-CVE-2025-23013

In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module PAM that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue...

UBUNTU-CVE-2025-23013

In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module PAM that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue...

FIDO2 redirection in Chrome and Edge doesn't work

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/fido2.htmllocal-authorization-and-virtual-authentication-using-fido2-and-webauthn was followed. However devices which use Fido2 such as fingerprint readers and YubiKey devices are not detected in the browser,...

YubiKey Side-Channel Attack

There is a side-channel attack against YubiKey access tokens that allows someone to clone a device. Its a complicated attack, requiring the victims username and password, and physical access to their YubiKey--as well as some technical expertise and equipment. Still, nice piece of security analysi...

YubiKeys Are a Security Gold Standard—but They Can Be Cloned

Security researchers have discovered a cryptographic flaw that leaves the YubiKey 5 vulnerable to attack...

CVE-2024-45678

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack that requires physical access and expensive equipment in which an electromagnetic side channel is present because of a non-constant-time modular...

CVE-2024-45678

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack that requires physical access and expensive equipment in which an electromagnetic side channel is present because of a non-constant-time modular...

PT-2024-31724

Name of the Vulnerable Software and Affected Versions: Yubico YubiKey 5 Series devices with firmware before 5.7.0 YubiHSM 2 devices with firmware before 2.4.0 Description: The issue allows an ECDSA secret-key extraction attack that requires physical access and expensive equipment. This attack is...

CVE-2024-45678

The CVE-2024-45678 EYCL EAK issue affects Yubico YubiKey 5 Series firmware < 5.7.0 and YubiHSM 2 firmware

CVE-2024-45678

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack that requires physical access and expensive equipment in which an electromagnetic side channel is present because of a non-constant-time modular...

CVE-2024-45678

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack that requires physical access and expensive equipment in which an electromagnetic side channel is present because of a non-constant-time modular...

Yubico YubiKey 5 安全漏洞

Yubico YubiKey 5 is a multi-protocol secure secret key device from Yubico. A security vulnerability exists in Yubico YubiKey 5 versions prior to 5.7.0 and YubiHSM 2 versions prior to 2.4.0, which stems from an electromagnetic side channel due to a non-constant time modulo inversion in the Extende...

Brave Desktop 1.67.123 Security Fixes

Fixed unreadable button labels on certain YubiKey modals when using light theme. Upgraded Chromium to 126.0.6478.126 — refer to Google Chrome advisories for inherited CVEs...

OPENSUSE-SU-2024:11538-1 yubikey-manager-4.0.3-1.3 on GA media

These are all security issues fixed in the yubikey-manager-4.0.3-1.3 package on the GA media of openSUSE Tumbleweed...

Fedora: Security Advisory for rust-ybaas (FEDORA-2024-40ee18b2e7)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora: Security Advisory for rust-yubibomb (FEDORA-2024-40ee18b2e7)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...