A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known value upon initialization. If the retry counter for the Reset Code is set to non-zero without changing the Reset Code, this known value can be used to reset the User PIN. To set the retry counters, the Admin PIN is required.
References
Link | Resource |
---|---|
https://www.yubico.com/support/security-advisories/ysa-2020-05/ | Mitigation Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-07-09T17:57:40
Updated: 2020-07-09T17:57:40
Reserved: 2020-06-23T00:00:00
Link: CVE-2020-15000
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-07-09T18:15:10.927
Modified: 2020-07-21T16:21:39.483
Link: CVE-2020-15000
JSON object: View
Redhat Information
No data.
CWE