Yubico issues a security alert to Windows YubiKey users AFP VIA GETTY IMAGESWhen it comes to user authentication, there are many options available, from passwords at the weaker end of the security spectrum to hardware keys at the other. But what if the hardware security key you use could leave your operating system exposed to attack? Yubico, the security vendor behind the range of YubiKey products, has issued a security advisory warning of just that scenario for Windows users.
Yubico Security Advisory YSA-2024-01Yubico is quite rightly considered to have one of the most secure authentication products in its YubiKey hardware security key range. If proof is needed you only have to look at the
Yubico security advisories page entries for the last three years where there are none listed for 2022, one for 2023 and one for 2024. It’s the last of these that impacts Windows users, although not those who use Edge as their web browser client of choice.
Yubico
security advisory YSA-2024-01 concerns the YubiKey Manager software which has a vulnerability that could lead to an escalation of privileges attack for Windows users. The vulnerability is listed as
CVE-2024-31498 and has a Common Vulnerability Scoring System rating of 7.7 which means this is a high-risk issue rather than a critical one.
Yubico says, “If a user runs the YubiKey Manager GUI as Administrator, browser windows opened by the YubiKey Manager GUI may be opened as Administrator, which could be exploited by a local attacker to perform actions as Administrator.” If this sounds worrying that’s because it is. An attacker, who would already need to have local access to the Windows machine concerned, could use this privilege escalation to further compromise that system. “This issue can be used by an attacker to escalate local attacks and increase the impact of browser-based attacks,” Yubico warns.
Affected Software And SystemsCVE-2024-31498 affects versions of YubiKey Manager prior to 1.2.6 and those Windows users who are not using Edge as their default browser. Yubico explains that it only impacts Windows users as the operating system requires admin privileges to interact with FIDO authenticators such as the YubiKey. On other operating systems, this level of elevated permissions is not required. Windows users are, therefore, advised to click on the About menu in the software and check to see what version they are using. Anything before 1.2.6 should be updated accordingly. The latest version of YubiKey Manager can be
downloaded directly from the Yubico website or
GitHub.
Other Mitigations For The YubiKey Manager VulnerabilityThe Fast IDentity Online Alliance is an open standard for authentication that, in its FIDO2 guise, can provide passwordless single-factor authentication as well as two and multi-factor authentication options among other things. Yubico advises that users not requiring the
FIDO features do not need to run YubiKey Manager GUI as an elevated privilege user. Windows users can also configure Microsoft Edge as their default web browser, as this already includes mitigations that prevent admin permissions from being inherited when initiated the way this vulnerability enables. That said, I would not recommend switching to Edge from your preferred browser; take the software update route instead, and then there’s no need.
source
