• Security Advisory YSA-2024-01

    Security Advisory YSA-2024-01 YubiKey Manager Privilege Escalation

    Published Date: 2024-04-04
    Tracking IDs: YSA-2024-01
    CVE: CVE-2024-31498
    CVSS 3.1: 7.7

    Summary

    A security issue has been identified in YubiKey Manager GUI which could lead to unexpected privilege escalation on Windows. If a user runs the YubiKey Manager GUI as Administrator, browser windows opened by YubiKey Manager GUI may be opened as Administrator which could be exploited by a local attacker to perform actions as Administrator. Under this circumstance, some browsers like Edge for example, have additional mitigations to prevent opening as Administrator.

    Affected software

    The affected tool is YubiKey Manager GUI (commonly known as ykman-gui) with versions prior to 1.2.6. The issue impacts installations on Windows because Windows requires Administrative permissions to interact with FIDO authenticators. For other operating systems, YubiKey Manager GUI should not be run with elevated permissions.

    Not affected software and Devices

    Installations of YubiKey Manager GUI on platforms other than Windows are not impacted by this issue.

    YubiHSM 2, YubiHSM, YubiHSM 2 FIPS, YubiKey 5 Series, YubiKey 5 FIPS Series, YubiKey 5 CSPN Series, YubiKey Bio Series, YubiKey 4 Series, YubiKey FIPS Series, Security Key Series, or previous generation YubiKey devices are not impacted.

    How to tell if you are affected

    You are affected if you have YubiKey Manager GUI versions < 1.2.6 installed on a computer that is running Windows and is not using Edge as the default browser. You can check the version of YubiKey Manager GUI you have installed by clicking the “About” menu in the YubiKey Manager GUI.

    YubiKey Manager GUI

    Customer Actions

    Yubico recommends that affected customers update to the latest version of YubiKey Manager available for download from our website or directly from GitHub.

    Alternate Mitigations

    1. Running YubiKey Manager GUI elevated is only required for using the FIDO features. In cases where users do not require FIDO features in YubiKey Manager GUI, it can run as an unelevated user to avoid this issue.
    2. Users can set Microsoft Edge as their default browser which includes mitigations to avoid inheriting Administrative permissions when opened in this way.

    Issue Details

    YubiKey Manager GUI is a tool for managing the various features of a YubiKey, including FIDO, OTP or PIV. In certain situations, the tool spawns the system default browser as a child process. This action requires user interaction with the tool and is not automatically triggered.

    On Windows systems, the ability to communicate with FIDO authenticators requires Administrator privileges. This is a limitation built into the operating system by Microsoft. Thus, in order to interact with the FIDO functionality of the YubiKey, the user must run YubiKey Manager GUI with Administrator privileges. Once YubiKey Manager GUI is run with Administrator privileges, any browser windows opened by YubiKey Manager GUI may also be elevated with Administrator privileges depending on the browser in use. This issue can be used by an attacker to escalate local attacks and increase the impact of browser based attacks.

    Severity

    Yubico has rated this issue as High. It has a CVSS score of 7.7.

    Timeline

    February 1, 2024Issue identified
    April 4, 2024Yubico releases advisory