CVE & CISA-KEV Catalog

CVE-2024-45678

MEDIUM
4.2
CVSS v3
NVD

Description

Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.

How to fix

Remediation Available
security key c nfc by yubico firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
security key nfc by yubico firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubihsm 2 fips firmwareNVD
Affected:< 2.4.0Fixed in:2.4.0CVE-2024-45678derived from NVD
yubihsm 2 firmwareNVD
Affected:< 2.4.0Fixed in:2.4.0CVE-2024-45678derived from NVD
yubikey 5 nano fips firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubikey 5 nano firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubikey 5 nfc fips firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubikey 5 nfc firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubikey 5c fips firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubikey 5c firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubikey 5c nano fips firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubikey 5c nano firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubikey 5c nfc fips firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubikey 5c nfc firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubikey 5ci fips firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubikey 5ci firmwareNVD
Affected:< 5.7Fixed in:5.7CVE-2024-45678derived from NVD
yubikey bio firmwareNVD
Affected:< 5.7.2Fixed in:5.7.2CVE-2024-45678derived from NVD
yubikey c bio firmwareNVD
Affected:< 5.7.2Fixed in:5.7.2CVE-2024-45678derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorPhysical
Attack ComplexityHigh
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityNone
AvailabilityNone

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploit Intelligence

0.33%probability of exploitation in 30 days
25thpercentile

Low risk: more likely to be exploited than 25% of all known CVEs.

References

Vendor Advisory1
Third-Party Advisory1
Issue Tracking1
Technical Description1
Press / Media1

Related Vulnerabilities

Other CWE-203 vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2017-5753Medium5.694%-Fix
CVE-2003-0190Medium5.077%-Fix
CVE-2017-5715Medium5.674%-Fix
CVE-2018-3639Medium5.561%-Fix
CVE-2023-28770High7.558%-Fix
CVE-2004-1602Medium5.031%--
Embed a live status badge for CVE-2024-45678
CVE-2024-45678 severity badge

Markdown

[![CVE-2024-45678](https://tridentstack.com/cve/badge/CVE-2024-45678.svg)](https://tridentstack.com/cve/CVE-2024-45678)

HTML

<a href="https://tridentstack.com/cve/CVE-2024-45678"><img src="https://tridentstack.com/cve/badge/CVE-2024-45678.svg" alt="CVE-2024-45678"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-03-17.