Guest User

Untitled

a guest
May 11th, 2022
3,539
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.95 KB | None | 0 0
  1. CVE-2022-24584: Incorrect access control in Yubico OTP functionality of the Yu bi Key hardware tokens along with the Yubico OTP validation server
  2.  
  3. https://boards.4channel.org/g/thread/86801252
  4. https://i.4cdn.org/g/1651680877341.jpg
  5. https://anonfiles.com/Tav0bddby7/CVE-2022-24584_pdf
  6. https://cdn-130.anonfiles.com/Tav0bddby7/3602e604-1651679466/CVE-2022-24584.pdf
  7. https://anonfiles.com/Ddk0d4d7y7/yubico_zip
  8. https://cdn-104.anonfiles.com/Ddk0d4d7y7/9f80ed64-1651685867/yubico.zip
  9.  
  10. All links are included in the Internet Archive/Wayback Machine
  11. Screenshots for Proof of Vulnerability are included as attachments in the PDF.
  12.  
  13. Hello,
  14.  
  15. I am writing to you to report a security vulnerability in the Yubico OTP Validation Server. I assess the
  16. severity NOT to be High, mostly because Yubico OTP isn't as widely used as the alternatives, such as U2f,
  17. FIDO etc., but regardless I believe it must be published and an advisory issued.
  18.  
  19. The product claims made on the product page state that the Yubico OTPs are hardware bound and
  20. unclonable. This might be correct AFTER the configuration has been written to the device. But, someone
  21. could make a duplicate device using the same configuration. After reprogramming, the new
  22. configuration will have to be uploaded to the Yubico servers. I have shown that the server will accept
  23. any uploaded configuration and, even though the upload form asks for the serial number, it is not
  24. utilized to make sure that the configuration is actually bound to a particular device.
  25.  
  26. The conclusion is that only OTPs starting with "cc" are hardware bound, since they are programmed at
  27. the factory. In the case where the customer wants to program custom secrets, the new configuration
  28. uploaded to the Yubico server (OTPs starting with "vv") are not hardware bound and the serial number
  29. isn't checked.
  30.  
  31. I have already applied for a CVE ID (CVE-2022-24584) but haven't otherwise publicized these findings
  32. and I leave it to you.
  33.  
  34. Thank you,
  35. [REDACTED]
Add Comment
Please, Sign In to add comment