Yubico Recalls FIPS Yubikeys
Yubico, a maker of security keys and tokens, is recalling Yubiekey tokens for the YubiKey FIPS (Federal Information Processing Standards) series devices. These are high-end devices that are used by the federal governments.
“An issue exists in the YubiKey FIPS Series devices with firmware version 4.4.2 or 4.4.4 (there is no released firmware version 4.4.3) where random values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up. The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted. This issue occurs only during the power-up of the YubiKey FIPS Series, version 4.4.2 or 4.4.4. After the predictable content in the random buffer is consumed, the buffer will be filled with the intended full random number generator output, and all subsequent use of randomness will not be affected,” said the company in its advisory.
Yubico discovered the issue in March 2019 affecting YubiKey FIPS Series devices running firmware versions 4.4.2 and 4.4.4. The company started working on a fix and released version 4.4.5, which received FIPS certification on April 30, 2019.
Yubico said in an advisory, “The issue only affects certain use cases and scenarios. YubiKey FIPS applications utilizing ECDSA are at higher risk than other use cases. See the Technical Details section below for additional information about how this issue might impact different scenarios, as well as what mitigating factors exist.”
Yubico said that they are not aware of any security breaches due to this issue.
Source: https://www.yubico.com/support/security-advisories/ysa-2019-02/