CVE-2024-45678

Published: Sep 3, 2024Modified: Mar 17, 2025

4.2

Vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 0.5 / Impact: 3.6

Source: NVD

Description

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.

Affected (18)

Yubico

18 products

Yubikey 5c Nfc Firmware

Yubikey 5 Nfc Firmware

Yubikey 5c Firmware

Yubikey 5 Nano Firmware

Yubikey 5c Nano Firmware

Yubikey 5ci Firmware

Yubikey 5 Nfc Fips Firmware

Yubikey 5c Nfc Fips Firmware

Yubikey 5c Fips Firmware

Yubikey 5 Nano Fips Firmware

Yubikey 5c Nano Fips Firmware

Yubikey 5ci Fips Firmware

Yubikey C Bio Firmware

Yubikey Bio Firmware

Security Key Nfc By Yubico Firmware

Security Key C Nfc By Yubico Firmware

Yubihsm 2 Fips Firmware

Yubihsm 2 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey 5c Nfc Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Yubikey 5c Nfc	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey 5 Nfc Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Yubikey 5 Nfc	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey 5c Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Yubikey 5c	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey 5 Nano Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Yubikey 5 Nano	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey 5c Nano Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Yubikey 5c Nano	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey 5ci Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Yubikey 5ci	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey 5 Nfc Fips Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Yubikey 5 Nfc Fips	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey 5c Nfc Fips Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Yubikey 5c Nfc Fips	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey 5c Fips Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Yubikey 5c Fips	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey 5 Nano Fips Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Yubikey 5 Nano Fips	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey 5c Nano Fips Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Yubikey 5c Nano Fips	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey 5ci Fips Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Yubikey 5ci Fips	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey C Bio Firmware	Before 5.7.2

Running on/with	Platform Versions
Yubico Yubikey C Bio	All versions

Configuration N

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubikey Bio Firmware	Before 5.7.2

Running on/with	Platform Versions
Yubico Yubikey Bio	All versions

Configuration O

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Security Key Nfc By Yubico Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Security Key Nfc By Yubico	All versions

Configuration P

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Security Key C Nfc By Yubico Firmware	Before 5.7

Running on/with	Platform Versions
Yubico Security Key C Nfc By Yubico	All versions

Configuration Q

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubihsm 2 Fips Firmware	Before 2.4.0

Running on/with	Platform Versions
Yubico Yubihsm 2 Fips	Version 2.2

Configuration R

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Yubico Yubihsm 2 Firmware	Before 2.4.0

Running on/with	Platform Versions
Yubico Yubihsm 2	Version 2.3.2

Related CWEs

CWE-203

Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (6)

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

Source: cve@mitre.org

Press/Media Coverage

https://news.ycombinator.com/item?id=41434500

Source: cve@mitre.org

Issue Tracking

https://ninjalab.io/eucleak/

Source: cve@mitre.org

Third Party Advisory

https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf

Source: cve@mitre.org

Technical Description

https://support.yubico.com/hc/en-us/articles/15705749884444

Source: cve@mitre.org

MitigationThird Party Advisory

https://www.yubico.com/support/security-advisories/ysa-2024-03/

Source: cve@mitre.org

Vendor Advisory

Timeline

No history available yet.