Yubico Libfido2, Python-Fido2, and Yubikey-Manager Unintended DLL Search Path Vulnerability

A vulnerability exists in Yubico libfido2 versions prior to 1.17.0, python-fido2 versions prior to 2.2.0, and yubikey-manager versions prior to 5.9.1, all related to an improper DLL search path on Windows. This flaw could allow an attacker to execute code by placing a malicious file in the installation directory of the affected software or Python. If the software is installed in a directory requiring Administrator permissions, the attacker would need an account with such access to carry out the attack.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution on the affected Windows system.

Remediation

Users are advised to update to the latest versions of libfido2, python-fido2, and YubiKey Manager. For integrators using these libraries, it is recommended to follow Microsoft's guidance on secure library loading to prevent DLL preloading attacks.