Introduction
The security advisory YSA-2024-01, published on April 4, 2024, has identified a security issue in the YubiKey Manager GUI, a tool used for managing the various features of a YubiKey, including FIDO, OTP, or ohter tokens. This issue could lead to unexpected privilege escalation on Windows systems.
Problem
The problem arises when a user runs the YubiKey Manager GUI as Administrator. In such cases, any browser windows that are opened by the YubiKey Manager GUI may also be opened with Administrator privileges. This could potentially be exploited by a local attacker to perform actions as an Administrator, escalating local attacks and increasing the impact of browser-based attacks.
This issue specifically affects YubiKey Manager GUI versions prior to 1.2.6 installed on Windows systems. This is because Windows requires Administrative permissions to interact with FIDO authenticators. However, installations of YubiKey Manager GUI on platforms other than Windows are not impacted by this issue. Similarly, YubiHSM 2, YubiHSM, YubiHSM 2 FIPS, YubiKey 5 Series, YubiKey 5 FIPS Series, YubiKey 5 CSPN Series, YubiKey Bio Series, YubiKey 4 Series, YubiKey FIPS Series, Security Key Series, or previous generation YubiKey devices are not affected.
Am I affected?
Users can determine if they are affected by checking the version of YubiKey Manager GUI installed on their Windows system. If it is a version less than 1.2.6, they are potentially at risk.
What to do?
To mitigate this issue, Yubico recommends that affected customers update to the latest version of YubiKey Manager available for download from their website or directly from GitHub. Alternatively, users can run YubiKey Manager GUI as an unelevated user or set Microsoft Edge as their default browser, as it includes mitigations to avoid inheriting Administrative permissions when opened in this way.
Yubico has rated the severity of this issue as High, with a CVSS score of 7.7, indicating that it is a significant security concern that should be addressed promptly.
Source: Security Advisory YSA-2024-01 YubiKey Manager Privilege Escalation