Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server. The Yubico OTP supposedly creates hardware bound second factor credentials. When a user reprograms the OTP functionality by "writing" it on a token using the Yubico Personalization Tool, they can then upload the new configuration to Yubicos OTP validation servers. NOTE: the vendor disputes this because there is no way for a YubiKey device to prevent a user from deciding that a secret value, which is imported into the device, should also be stored elsewhere
References
Link | Resource |
---|---|
https://demo.yubico.com/otp/verify | Vendor Advisory |
https://pastebin.com/7iLR1EbW | Exploit Third Party Advisory |
https://pastebin.com/xAh8uV6J | Third Party Advisory |
https://upload.yubico.com/ | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-05-11T17:49:59
Updated: 2022-07-01T14:06:57
Reserved: 2022-02-07T00:00:00
Link: CVE-2022-24584
JSON object: View
NVD Information
Status : Modified
Published: 2022-05-11T18:15:23.973
Modified: 2024-05-17T02:06:15.990
Link: CVE-2022-24584
JSON object: View
Redhat Information
No data.
CWE