Yubikey NEO OpenPGP advisory
Jose Castillo
jose.castillo at gmail.com
Tue Apr 21 19:48:14 CEST 2015
I haven’t seen this posted to the list yet, and thought it would be important for people who use the Yubikey NEO's OpenPGP functionality with GnuPG. It regards a vulnerability in the Yubikey NEO implementation of the OpenPGP smart card application:
https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html
Yubikeys running the vulnerable software will generate signatures and decrypt session keys unconditionally, i.e. without verifying the user’s PIN. I reported this vulnerability to Yubico on 4/11, and to their credit it was quickly fixed. Still, if you are using a Yubikey that you obtained prior to the fix being issued, you should be aware that this vulnerability could affect your security.
This issue also affected the upstream javacardopenpgp project [1], which has been updated with a fix as well.
[1]: http://sourceforge.net/projects/javacardopenpgp/
--
Joey Castillo
www.joeycastillo.com
More information about the Gnupg-users
mailing list