Access Control Vulnerability in YubiKey Hardware Tokens and Validation Server
CVE-2022-24584

6.5MEDIUM

Key Information:

Vendor

Yubico

Status
Otp
Vendor
CVE Published:
11 May 2022

What is CVE-2022-24584?

This vulnerability involves improper access control within the Yubico OTP functionality of YubiKey hardware tokens. It allows a user to potentially reprogram their OTP credentials using the Yubico Personalization Tool and upload the modified configuration to Yubico's OTP validation servers. The flaw arises from the expectation of secure management of import secrets, which are vulnerable to being mishandled, leading to unauthorized access or misuse. While Yubico argues that there is no technical mechanism in place to prevent a user from deciding to store secret values elsewhere, this highlights significant risks in the handling of OTP configurations.

References

https://upload.yubico.com/
x_refsource_MISC
https://demo.yubico.com/otp/verify
x_refsource_MISC
https://pastebin.com/7iLR1EbW
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.