===================================================================== CERT-Renater Note d'Information No. 2024/VULN174 _____________________________________________________________________ DATE : 05/04/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running YubiKey Manager GUI versions prior to 1.2.6. ===================================================================== https://www.yubico.com/support/security-advisories/ysa-2024-01/ _____________________________________________________________________ Security Advisory YSA-2024-01 YubiKey Manager Privilege Escalation Published Date: 2024-04-04 Tracking IDs: YSA-2024-01 CVE: Link pending CVSS 3.1: 7.7 Summary A security issue has been identified in YubiKey Manager GUI which could lead to unexpected privilege escalation on Windows. If a user runs the YubiKey Manager GUI as Administrator, browser windows opened by YubiKey Manager GUI may be opened as Administrator which could be exploited by a local attacker to perform actions as Administrator. Under this circumstance, some browsers like Edge for example, have additional mitigations to prevent opening as Administrator. Affected software The affected tool is YubiKey Manager GUI (commonly known as ykman-gui) with versions prior to 1.2.6. The issue impacts installations on Windows because Windows requires Administrative permissions to interact with FIDO authenticators. For other operating systems, YubiKey Manager GUI should not be run with elevated permissions. Not affected software Installations of YubiKey Manager GUI on platforms other than Windows are not impacted by this issue. How to tell if you are affected You are affected if you have YubiKey Manager GUI versions < 1.2.6 installed on a computer that is running Windows and is not using Edge as the default browser. You can check the version of YubiKey Manager GUI you have installed by clicking the “About” menu in the YubiKey Manager GUI. Customer Actions Yubico recommends that affected customers update to the latest version of YubiKey Manager available for download from our website or directly from GitHub. Alternate Mitigations Running YubiKey Manager GUI elevated is only required for using the FIDO features. In cases where users do not require FIDO features in YubiKey Manager GUI, it can run as an unelevated user to avoid this issue. Users can set Microsoft Edge as their default browser which includes mitigations to avoid inheriting Administrative permissions when opened in this way. Issue Details YubiKey Manager GUI is a tool for managing the various features of a YubiKey, including FIDO, OTP or PIV. In certain situations, the tool spawns the system default browser as a child process. This action requires user interaction with the tool and is not automatically triggered. On Windows systems, the ability to communicate with FIDO authenticators requires Administrator privileges. This is a limitation built into the operating system by Microsoft. Thus, in order to interact with the FIDO functionality of the YubiKey, the user must run YubiKey Manager GUI with Administrator privileges. Once YubiKey Manager GUI is run with Administrator privileges, any browser windows opened by YubiKey Manager GUI may also be elevated with Administrator privileges depending on the browser in use. This issue can be used by an attacker to escalate local attacks and increase the impact of browser based attacks. Severity Yubico has rated this issue as High. It has a CVSS score of 7.7. Timeline February 1, 2024 Issue identified April 4, 2024 Yubico releases advisory ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================