CVE-2020-15000

Name of the Vulnerable Software and Affected Versions Yubico YubiKey 5 devices versions 5.2.0 through 5.2.6

Description A PIN management problem was discovered in Yubico YubiKey 5 devices. The issue involves OpenPGP, which has three passwords: Admin PIN, Reset Code, and User PIN. The Reset Code, used to reset the User PIN, is disabled by default. However, a flaw in OpenPGP's implementation sets the Reset Code to a known value upon initialization. If the retry counter for the Reset Code is set to non-zero without changing the Reset Code, this known value can be used to reset the User PIN, requiring the Admin PIN to set the retry counters.

Recommendations For Yubico YubiKey 5 devices versions 5.2.0 through 5.2.6, update the device to a version where the Reset Code is properly initialized or change the Reset Code after setting the retry counter to prevent unauthorized reset of the User PIN. As a temporary workaround, consider restricting access to the Admin PIN to minimize the risk of exploitation.