CVE-2020-15000
5.9
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Exploitability: 2.2 / Impact: 3.6
Source: NVD
Description
A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known value upon initialization. If the retry counter for the Reset Code is set to non-zero without changing the Reset Code, this known value can be used to reset the User PIN. To set the retry counters, the Admin PIN is required.
Affected (1)
Products: Yubico: Yubikey 5 Nfc Firmware
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| From 5.2.0 to 5.2.6 |
| Running on/with | Platform Versions |
|---|---|
Yubico Yubikey 5 Nfc | All versions |
References (2)
Source: cve@mitre.org
MitigationVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
MitigationVendor Advisory
Timeline
No history available yet.