YubiKey Manager Flaw (CVE-2024-31498): Patch Now To Prevent Admin Privilege Escalation on Windows

Yubico has released a security advisory and patch (version 1.2.6) for its YubiKey Manager GUI software. A vulnerability (CVE-2024-31498) with a CVSS score of 7.7 was discovered, allowing attackers to exploit elevated privileges on Windows systems under specific conditions.

The Flaw

• Elevated Privileges Required: To manage the FIDO authentication features of YubiKeys on Windows, the YubiKey Manager GUI must be run with Administrator privileges. This is a limitation imposed by Microsoft.
• Dangerous Inheritance: When the YubiKey Manager GUI launches the default browser (with Administrator privileges), the browser might inherit these elevated permissions. This opens the door for a local attacker to execute actions with Administrator rights within the browser.
• Browser Matters: Some browsers, like Microsoft Edge, have built-in mitigations to reduce the risk of this privilege escalation exploit.

Who’s Affected

You are affected if you meet all of these criteria:

• Operating System: You are running Windows.
• Software: You are using a YubiKey Manager GUI version older than 1.2.6.
• Default Browser: Your default web browser is not Microsoft Edge.

Recommendations

1. Update Immediately: Install the latest version of YubiKey Manager GUI (1.2.6 or newer) from the Yubico website or GitHub.
2. Workarounds (if update isn’t immediate):
   • Reduce YubiKey Manager Usage: Only run the YubiKey Manager GUI as an Administrator when necessary (for FIDO functions).
   • Switch to Edge: Temporarily make Microsoft Edge your default browser to benefit from its built-in protections against this specific exploit.

Why This Matters

Administrator-level access grants attackers far-reaching control over a compromised system. This vulnerability, while requiring specific circumstances to exploit, could lead to the escalation of local attacks and the amplified impact of browser-based attacks.