CVE-2020-15000

low-risk
Published 2020-07-09

A PIN management problem was discovered on Yubico YubiKey 5 devices 5.2.0 to 5.2.6. OpenPGP has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code is used to reset the User PIN, but it is disabled by default. A flaw in the implementation of OpenPGP sets the Reset Code to a known value upon initialization. If the retry counter for the Reset Code is set to non-zero without changing the Reset Code, this known value can be used to reset the User PIN. To set the retry counters, the Admin PIN is required.

Do I need to act?

-
0.23% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Yubikey 5 Nfc Firmware

Affected Vendors

Yubico

References (2)

Mitigation https://www.yubico.com/support/security-advisories/ysa-2020-05/
Mitigation https://www.yubico.com/support/security-advisories/ysa-2020-05/
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal