Yubico YubiKey FIDO CTAP PIN/UV Auth Protocol Two Implementation Vulnerability

A vulnerability exists in Yubico YubiKey 5.4.1 through 5.7.3 versions prior to 5.7.4, related to the FIDO CTAP PIN/UV Authentication Protocol Two. The issue arises because these YubiKey versions incorrectly apply the signature length from Protocol One during the verification process, leading to partial signature verification. This misalignment can create authentication issues, although the vulnerability is considered low severity due to the effort required to exploit it and existing mitigations within the YubiKey and FIDO protocol.

Impact

The vulnerability could lead to improper authentication by allowing a 16-byte signature, which is less secure, to be accepted when a 32-byte signature was required.

Remediation

Users can update to YubiKey version 5.7.4 to address this vulnerability. For YubiKey models in the affected range, the update can be applied using the Yubico Authenticator.