YSA-2024-01: YubiKey Manager Privilege Escalation

[Matthew Fernandez <matthew.fernandez () gmail com>]

I am not affiliated with Yubico, but I was recently made aware of the 
following which may be relevant to list members. The “YubiKey Manager 
GUI” software mentioned is the open source code at 
https://github.com/Yubico/yubikey-manager-qt.

https://www.yubico.com/support/security-advisories/ysa-2024-01/

> Published Date: 2024-04-04
> Tracking IDs: YSA-2024-01
> CVE: Link pending
> CVSS 3.1: 7.7
> Summary
>
> A security issue has been identified in YubiKey Manager GUI which could lead to unexpected privilege escalation on 
> Windows. If a user runs the YubiKey Manager GUI as Administrator, browser windows opened by YubiKey Manager GUI may be 
> opened as Administrator which could be exploited by a local attacker to perform actions as Administrator. Under this 
> circumstance, some browsers like Edge for example, have additional mitigations to prevent opening as Administrator.
> Affected software
>
> The affected tool is YubiKey Manager GUI (commonly known as ykman-gui) with versions prior to 1.2.6. The issue impacts 
> installations on Windows because Windows requires Administrative permissions to interact with FIDO authenticators. For 
> other operating systems, YubiKey Manager GUI should not be run with elevated permissions.
> Not affected software
>
> Installations of Yubikey Manager GUI on platforms other than Windows are not impacted by this issue.
> How to tell if you are affected
>
> You are affected if you have YubiKey Manager GUI versions < 1.2.6 installed on a computer that is running Windows and 
> is not using Edge as the default browser. You can check the version of YubiKey Manager GUI you have installed by clicking 
> the “About” menu in the YubiKey Manager GUI.
>
> Customer Actions
>
> Yubico recommends that affected customers update to the latest version of YubiKey Manager available for download from our 
> website<https://github.com/Yubico/yubikey-manager-qt> or directly from 
> GitHub<https://github.com/Yubico/yubikey-manager-qt>.
> Alternate Mitigations
>
>     Running YubiKey Manager GUI elevated is only required for using the FIDO features. In cases where users do not 
> require FIDO features in YubiKey Manager GUI, it can run as an unelevated user to avoid this issue.
>     Users can set Microsoft Edge as their default browser which includes mitigations to avoid inheriting Administrative 
> permissions when opened in this way.
>
> Issue Details
>
> Yubikey Manager GUI is a tool for managing the various features of a Yubikey, including FIDO, OTP or PIV. In certain 
> situations, the tool spawns the system default browser as a child process. This action requires user interaction with 
> the tool and is not automatically triggered.
>
> On Windows systems, the ability to communicate with FIDO authenticators requires Administrator privileges. This is a 
> limitation built into the operating system by Microsoft. Thus, in order to interact with the FIDO functionality of the 
> Yubikey, the user must run Yubikey Manager GUI with Administrator privileges. Once YubiKey Manager GUI is run with 
> Administrator privileges, any browser windows opened by YubiKey Manager GUI may also be elevated with Administrator 
> privileges depending on the browser in use. This issue can be used by an attacker to escalate local attacks and 
> increase the impact of browser based attacks.
> Severity
>
> Yubico has rated this issue as High. It has a CVSS score of 7.7.