CVE-2024-45678

Name of the Vulnerable Software and Affected Versions: Yubico YubiKey 5 Series devices with firmware before 5.7.0 YubiHSM 2 devices with firmware before 2.4.0

Description: The issue allows an ECDSA secret-key extraction attack that requires physical access and expensive equipment. This attack is possible due to a non-constant-time modular inversion for the Extended Euclidean Algorithm, which creates an electromagnetic side channel, also known as the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected. The attack potentially exposes millions to cloning risk.

Recommendations: For Yubico YubiKey 5 Series devices with firmware before 5.7.0, update the firmware to version 5.7.0 or later. For YubiHSM 2 devices with firmware before 2.4.0, update the firmware to version 2.4.0 or later.