CVE-2020-15001

Name of the Vulnerable Software and Affected Versions Yubico YubiKey 5 NFC devices versions 5.0.0 through 5.2.6 Yubico YubiKey 5 NFC devices versions 5.3.0 through 5.3.1

Description An information leak was discovered in the OTP application, which allows users to set optional access codes on OTP slots. However, the access code is not checked when updating NFC specific components of the OTP configurations. This may allow an attacker to access configured OTPs and passwords stored in slots that were not configured by the user to be read over NFC, despite a user having set an access code. Users who have not set an access code or who have not configured the OTP slots are not impacted by this issue.

Recommendations For versions 5.0.0 through 5.2.6, consider disabling the NFC functionality for OTP slots until a patch is available. For versions 5.3.0 through 5.3.1, consider disabling the NFC functionality for OTP slots until a patch is available. As a temporary workaround, consider restricting access to the OTP application to minimize the risk of exploitation.