Bevo (npub12gu…fle6) chef4brains (npub1dma…hrpq) kdnolan (npub1cyl…h53q)
The response from Yubico.
Thank you for your response and clarification, I really appreciate it. Please allow me to provide a quick overview of the advisory and the recommended steps you can take.
Advisory summary: A vulnerability was discovered in Infineon’s cryptographic library, which is utilized in all YubiKey Series and Security Key Series with firmware prior to 5.7.0 and YubiHSM 2 with firmware prior to 2.4.0. Yubico has defined this as a moderate severity vulnerability.
It's important to note that Yubico has been shipping keys with the newly released 5.7 firmware since May 2024, and YubiHSM 2.4 will be available later this month.
(For FIPS devices, we are targeting submission of YubiKey 5.7 and YubiHSM 2.4 for FIPS 140-3 validation in October of 2024.)
To further elaborate, a sophisticated attacker would require physical possession of the YubiKey, knowledge of the accounts they want to target, and specialized equipment and expertise to perform the necessary attack.
More detailed information regarding the vulnerability can be found in the official security advisory: Security Advisory YSA-2024-03
What we recommend: To mitigate any risks related to this vulnerability and as best practice in general, Yubico recommends that users always maintain physical control of their YubiKeys. If a YubiKey is ever lost or stolen users should immediately deregister it from all registered services or accounts and ensure they have backup authentication methods set up. Ideally, you should have 2 or more YubiKeys set up on each service for backup and recovery scenarios.
Replacement policy: Historically, Yubico has only offered replacements for High/Critical severity vulnerabilities. Since YSA-2024-03 is classified as a moderate severity vulnerability, there is no blanket replacement program in place, nor is this vulnerability covered under Yubico’s Warranty Policy.
I hope this helps clarify the situation, Oliver, and guides you on the best steps to take going forward. If you have any further questions or need additional assistance, please feel free to reach back out and let us know. We’re here to help!
Best,
Robert | Customer Support Specialist
tigs /
npub1q7…km2vr
2024-09-11 05:14:48
Author Public Key
npub1q7why7lw8kq9ufr43ps75ngz3vhx5duqt7xmgklcq3dljqqfjegq2km2vrPublished at
2024-09-11 05:14:48Event JSON
{
"id": "179bc221b85b572da6f54432c11f0dc8d4c8faa47c4be12b6dc9cddcad3bacc9",
"pubkey": "079d727bee3d805e24758861ea4d028b2e6a37805f8db45bf8045bf900099650",
"created_at": 1726031688,
"kind": 1,
"tags": [
[
"p",
"52387c6b99cc42aac51916b08b7b51d2baddfc19f2ba08d82a48432849dbdfb2",
"",
"mention"
],
[
"p",
"6efb74e66b7ed7fb9fb7b8b8f12e1fbbabe7f45823a33a14ac60cc9241285536",
"",
"mention"
],
[
"p",
"c13fd3810b2a1872688d61e0a08d672dcfd4e1f01aadd16aa324b7f0b46236ea",
"",
"mention"
]
],
"content": " nostr:npub12gu8c6uee3p243gez6cgk76362admlqe72aq3kp2fppjsjwmm7eqj9fle6 nostr:npub1dmahfent0mtlh8ahhzu0ztslhw470azcyw3n599vvrxfysfg25mqurhrpq nostr:npub1cyla8qgt9gv8y6ydv8s2prt89h8afc0sr2kaz64ryjmlpdrzxm4qwlh53q\n\nThe response from Yubico.\n\nThank you for your response and clarification, I really appreciate it. Please allow me to provide a quick overview of the advisory and the recommended steps you can take.\n \nAdvisory summary: A vulnerability was discovered in Infineon’s cryptographic library, which is utilized in all YubiKey Series and Security Key Series with firmware prior to 5.7.0 and YubiHSM 2 with firmware prior to 2.4.0. Yubico has defined this as a moderate severity vulnerability. \n \nIt's important to note that Yubico has been shipping keys with the newly released 5.7 firmware since May 2024, and YubiHSM 2.4 will be available later this month.\n(For FIPS devices, we are targeting submission of YubiKey 5.7 and YubiHSM 2.4 for FIPS 140-3 validation in October of 2024.)\n \n\nTo further elaborate, a sophisticated attacker would require physical possession of the YubiKey, knowledge of the accounts they want to target, and specialized equipment and expertise to perform the necessary attack.\n \nMore detailed information regarding the vulnerability can be found in the official security advisory: Security Advisory YSA-2024-03\n \nWhat we recommend: To mitigate any risks related to this vulnerability and as best practice in general, Yubico recommends that users always maintain physical control of their YubiKeys. If a YubiKey is ever lost or stolen users should immediately deregister it from all registered services or accounts and ensure they have backup authentication methods set up. Ideally, you should have 2 or more YubiKeys set up on each service for backup and recovery scenarios. \n \nReplacement policy: Historically, Yubico has only offered replacements for High/Critical severity vulnerabilities. Since YSA-2024-03 is classified as a moderate severity vulnerability, there is no blanket replacement program in place, nor is this vulnerability covered under Yubico’s Warranty Policy. \n \nI hope this helps clarify the situation, Oliver, and guides you on the best steps to take going forward. If you have any further questions or need additional assistance, please feel free to reach back out and let us know. We’re here to help!\nBest,\n\nRobert | Customer Support Specialist",
"sig": "3cdf7120253970edc32b9fd87c79fec52c022ab2637861a78619e0c130f51ddec72eb97381c15a9471b6949d3e2364d38da49e451a7b18fe2f8b6ce47faebc81"
}