CVE-2024-45678

MEDIUM EPSS 24.7%
Published Sep 3, 20241y ago · Modified Jun 17, 20262w ago
4.2 CVSS 3.1
Medium
Find Similar
Published Sep 3, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.

CVSS Details

Base Score
4.2
Exploitability
0.5
Impact
3.6
Vector string
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Physical
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
24.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-203

Affected Products 36

VendorProductVersionRange
yubicoyubikey_5c_nfc_firmware* <5.7
yubicoyubikey_5c_nfc*any
yubicoyubikey_5_nfc_firmware* <5.7
yubicoyubikey_5_nfc*any
yubicoyubikey_5c_firmware* <5.7
yubicoyubikey_5c*any
yubicoyubikey_5_nano_firmware* <5.7
yubicoyubikey_5_nano*any
yubicoyubikey_5c_nano_firmware* <5.7
yubicoyubikey_5c_nano*any
yubicoyubikey_5ci_firmware* <5.7
yubicoyubikey_5ci*any
yubicoyubikey_5_nfc_fips_firmware* <5.7
yubicoyubikey_5_nfc_fips*any
yubicoyubikey_5c_nfc_fips_firmware* <5.7
yubicoyubikey_5c_nfc_fips*any
yubicoyubikey_5c_fips_firmware* <5.7
yubicoyubikey_5c_fips*any
yubicoyubikey_5_nano_fips_firmware* <5.7
yubicoyubikey_5_nano_fips*any
yubicoyubikey_5c_nano_fips_firmware* <5.7
yubicoyubikey_5c_nano_fips*any
yubicoyubikey_5ci_fips_firmware* <5.7
yubicoyubikey_5ci_fips*any
yubicoyubikey_c_bio_firmware* <5.7.2
yubicoyubikey_c_bio*any
yubicoyubikey_bio_firmware* <5.7.2
yubicoyubikey_bio*any
yubicosecurity_key_nfc_by_yubico_firmware* <5.7
yubicosecurity_key_nfc_by_yubico*any
yubicosecurity_key_c_nfc_by_yubico_firmware* <5.7
yubicosecurity_key_c_nfc_by_yubico*any
yubicoyubihsm_2_fips_firmware* <2.4.0
yubicoyubihsm_2_fips2.2any
yubicoyubihsm_2_firmware* <2.4.0
yubicoyubihsm_22.3.2any

References 6

  • arstechnica.com https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/
    Press/Media Coverage
  • news.ycombinator.com https://news.ycombinator.com/item?id=41434500
    Issue Tracking
  • ninjalab.io https://ninjalab.io/eucleak/
    Third Party Advisory
  • ninjalab.io https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf
    Technical Description
  • support.yubico.com https://support.yubico.com/hc/en-us/articles/15705749884444
    MitigationThird Party Advisory
  • yubico.com https://www.yubico.com/support/security-advisories/ysa-2024-03/
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.