YubiKey Manager Flaw (CVE-2024-31498): Patch Now To Prevent Admin Privilege Escalation on Windows
Yubico has released a security advisory and patch (version 1.2.6) for its YubiKey Manager GUI software. A vulnerability (CVE-2024-31498) with a CVSS score of 7.7 was discovered, allowing attackers to exploit elevated privileges on Windows systems under specific conditions.
The Flaw
- Elevated Privileges Required: To manage the FIDO authentication features of YubiKeys on Windows, the YubiKey Manager GUI must be run with Administrator privileges. This is a limitation imposed by Microsoft.
- Dangerous Inheritance: When the YubiKey Manager GUI launches the default browser (with Administrator privileges), the browser might inherit these elevated permissions. This opens the door for a local attacker to execute actions with Administrator rights within the browser.
- Browser Matters: Some browsers, like Microsoft Edge, have built-in mitigations to reduce the risk of this privilege escalation exploit.
Who’s Affected
You are affected if you meet all of these criteria:
- Operating System: You are running Windows.
- Software: You are using a YubiKey Manager GUI version older than 1.2.6.
- Default Browser: Your default web browser is not Microsoft Edge.
Recommendations
- Update Immediately: Install the latest version of YubiKey Manager GUI (1.2.6 or newer) from the Yubico website or GitHub.
- Workarounds (if update isn’t immediate):
- Reduce YubiKey Manager Usage: Only run the YubiKey Manager GUI as an Administrator when necessary (for FIDO functions).
- Switch to Edge: Temporarily make Microsoft Edge your default browser to benefit from its built-in protections against this specific exploit.
Why This Matters
Administrator-level access grants attackers far-reaching control over a compromised system. This vulnerability, while requiring specific circumstances to exploit, could lead to the escalation of local attacks and the amplified impact of browser-based attacks.
