Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Yubico is replacing for free YubiKey FIPS devices due to security weakness

Yubico is replacing YubiKey FIPS security keys due to a serious flaw that makes cryptographic operations easier to crack under specific conditions. Yubico is replacing YubiKey FIPS security keys due to a serious issue that flaw that makes it easier to crack RSA keys and ECDSA signatures generated on these devices. The security advisory published […]

YubiKey FIPS

Yubico is replacing YubiKey FIPS security keys due to a serious flaw that makes cryptographic operations easier to crack under specific conditions.

Yubico is replacing YubiKey FIPS security keys due to a serious issue that flaw that makes it easier to crack RSA keys and ECDSA signatures generated on these devices.

The security advisory published by the company states that the issue impacts YubiKey series devices running versions 4.4.2 and 4.4.4 of the firmware. The weakness impacts PIV smart card applications, Universal 2nd Factor (U2F) authentication, OATH one-time passwords, and OpenPGP. Nano FIPS, C FIPS and C Nano FIPS devices are also impacted by the weakness.

“An issue exists in the YubiKey FIPS Series devices with firmware version 4.4.2 or 4.4.4 (there is no released firmware version 4.4.3) where random values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up,” reads the advisory published by Yubico.

“The issue only affects certain use cases and scenarios. YubiKey FIPS applications utilizing ECDSA are at higher risk than other use cases.”

Some YubiKey FIPS applications leverage on ransom values that contain reduced randomness for the first operations performed after devices power-up.

“The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted,” continues the advisory.

Yubico discovered the flaw in March and addressed it with the release of the firmware version 4.4.5 that was certified at the end of April.

At the time, there is no news of attacks exploiting the issue in the wild.

Yubico is contacting its customers to inform them of the free device replacement. The company said that most of the affected security keys have already been replaced or are in the process of being replaced.

People who bought their devices from a reseller should contact them and ask for the drives replacement.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Yubico, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]