Security Advisory
Yubico, maker of YubiKeys, issued this advisory of vulnerabilities in their software application YubiKey Manager GUI https://www.yubico.com/support/security-advisories/ysa-2024-01/
WHO DOES THIS AFFECT?
Keys are Good. Program has vulnerability.
Only users of YubiKey Manager GUI versions perior to 1.2.6 installed on a computer that is running Windows and is not using Edge as the default browser.
Millions of people worldwide use YubiKeys for more secure multifactor authentication than the common SMS text message, email or phone call. It is also an alternative or adjunct to authenticator apps which are found on phones – like Google Authenticator, and apps from password managers like 1PAssword, Dashlane, and LastPass. YubiKeys and other hardware keys are generally more secure than using phones or emails as those accounts can be compromised or hijacked remotely. Physical keys are difficult to copy, clone, or interecpt.
SOLUTION
Download the latest version of YubiKey Manager GUI from Yubico.com website or directly from GitHub.
Bottomline
Update Software. Keep using advanced security options like hardware MFA tools.
Advisory April 4, 2024
Summary
A security issue has been identified in YubiKey Manager GUI which could lead to unexpected privilege escalation on Windows. If a user runs the YubiKey Manager GUI as Administrator, browser windows opened by YubiKey Manager GUI may be opened as Administrator which could be exploited by a local attacker to perform actions as Administrator. Under this circumstance, some browsers like Edge for example, have additional mitigations to prevent opening as Administrator.
Affected software
The affected tool is YubiKey Manager GUI (commonly known as ykman-gui) with versions prior to 1.2.6. The issue impacts installations on Windows because Windows requires Administrative permissions to interact with FIDO authenticators. For other operating systems, YubiKey Manager GUI should not be run with elevated permissions.
Not affected software
Installations of YubiKey Manager GUI on platforms other than Windows are not impacted by this issue.
How to tell if you are affected
You are affected if you have YubiKey Manager GUI versions < 1.2.6 installed on a computer that is running Windows and is not using Edge as the default browser. You can check the version of YubiKey Manager GUI you have installed by clicking the “About” menu in the YubiKey Manager GUI.
Customer Actions
Yubico recommends that affected customers update to the latest version of YubiKey Manager available for download from our website or directly from GitHub.
Alternate Mitigations
- Running YubiKey Manager GUI elevated is only required for using the FIDO features. In cases where users do not require FIDO features in YubiKey Manager GUI, it can run as an unelevated user to avoid this issue.
- Users can set Microsoft Edge as their default browser which includes mitigations to avoid inheriting Administrative permissions when opened in this way.
Issue Details
YubiKey Manager GUI is a tool for managing the various features of a YubiKey, including FIDO, OTP or PIV. In certain situations, the tool spawns the system default browser as a child process. This action requires user interaction with the tool and is not automatically triggered.
On Windows systems, the ability to communicate with FIDO authenticators requires Administrator privileges. This is a limitation built into the operating system by Microsoft. Thus, in order to interact with the FIDO functionality of the YubiKey, the user must run YubiKey Manager GUI with Administrator privileges. Once YubiKey Manager GUI is run with Administrator privileges, any browser windows opened by YubiKey Manager GUI may also be elevated with Administrator privileges depending on the browser in use. This issue can be used by an attacker to escalate local attacks and increase the impact of browser based attacks.
Severity
Yubico has rated this issue as High. It has a CVSS score of 7.7.
Timeline
| February 1, 2024 | Issue identified |
| April 4, 2024 | Yubico releases advisory |