First published: Thu Jul 09 2020(Updated: )
A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known value upon initialization. If the retry counter for the Reset Code is set to non-zero without changing the Reset Code, this known value can be used to reset the User PIN. To set the retry counters, the Admin PIN is required.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Yubico Yubikey 5 Nfc Firmware | >=5.2.0<=5.2.6 | |
Yubico YubiKey 5 NFC |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2020-15000.
The severity of CVE-2020-15000 is medium, with a severity value of 5.9.
Yubico YubiKey 5 devices with firmware versions 5.2.0 to 5.2.6 are affected.
The vulnerability allows for unauthorized access to the Yubico YubiKey 5 device.
Yes, Yubico has released a firmware update to fix the vulnerability. Please refer to their website for the latest firmware version.