Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 5 Apr 2024 02:24:54 +1100
From: Matthew Fernandez <matthew.fernandez@...il.com>
To: oss-security@...ts.openwall.com
Subject: YSA-2024-01: YubiKey Manager Privilege Escalation

I am not affiliated with Yubico, but I was recently made aware of the 
following which may be relevant to list members. The “YubiKey Manager 
GUI” software mentioned is the open source code at 
https://github.com/Yubico/yubikey-manager-qt.

https://www.yubico.com/support/security-advisories/ysa-2024-01/

> Published Date: 2024-04-04
> Tracking IDs: YSA-2024-01
> CVE: Link pending
> CVSS 3.1: 7.7
> Summary
> 
> A security issue has been identified in YubiKey Manager GUI which could lead to unexpected privilege escalation on Windows. If a user runs the YubiKey Manager GUI as Administrator, browser windows opened by YubiKey Manager GUI may be opened as Administrator which could be exploited by a local attacker to perform actions as Administrator. Under this circumstance, some browsers like Edge for example, have additional mitigations to prevent opening as Administrator.
> Affected software
> 
> The affected tool is YubiKey Manager GUI (commonly known as ykman-gui) with versions prior to 1.2.6. The issue impacts installations on Windows because Windows requires Administrative permissions to interact with FIDO authenticators. For other operating systems, YubiKey Manager GUI should not be run with elevated permissions.
> Not affected software
> 
> Installations of Yubikey Manager GUI on platforms other than Windows are not impacted by this issue.
> How to tell if you are affected
> 
> You are affected if you have YubiKey Manager GUI versions < 1.2.6 installed on a computer that is running Windows and is not using Edge as the default browser. You can check the version of YubiKey Manager GUI you have installed by clicking the “About” menu in the YubiKey Manager GUI.
> 
> Customer Actions
> 
> Yubico recommends that affected customers update to the latest version of YubiKey Manager available for download from our website<https://github.com/Yubico/yubikey-manager-qt> or directly from GitHub<https://github.com/Yubico/yubikey-manager-qt>.
> Alternate Mitigations
> 
>     Running YubiKey Manager GUI elevated is only required for using the FIDO features. In cases where users do not require FIDO features in YubiKey Manager GUI, it can run as an unelevated user to avoid this issue.
>     Users can set Microsoft Edge as their default browser which includes mitigations to avoid inheriting Administrative permissions when opened in this way.
> 
> Issue Details
> 
> Yubikey Manager GUI is a tool for managing the various features of a Yubikey, including FIDO, OTP or PIV. In certain situations, the tool spawns the system default browser as a child process. This action requires user interaction with the tool and is not automatically triggered.
> 
> On Windows systems, the ability to communicate with FIDO authenticators requires Administrator privileges. This is a limitation built into the operating system by Microsoft. Thus, in order to interact with the FIDO functionality of the Yubikey, the user must run Yubikey Manager GUI with Administrator privileges. Once YubiKey Manager GUI is run with Administrator privileges, any browser windows opened by YubiKey Manager GUI may also be elevated with Administrator privileges depending on the browser in use. This issue can be used by an attacker to escalate local attacks and increase the impact of browser based attacks.
> Severity
> 
> Yubico has rated this issue as High. It has a CVSS score of 7.7.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.