CVE-2020-10185
📋 TL;DR
CVE-2020-10185 is a vulnerability in the sync endpoint of YubiKey Validation Server that allows remote attackers to replay one-time passwords (OTPs), potentially bypassing authentication. It affects self-hosted OTP validation services with non-default configurations like open sync pools, but does not impact YubiCloud or default setups.
💻 Affected Systems
- YubiKey Validation Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could replay OTPs to gain unauthorized access to systems relying on YubiKey for authentication, leading to account compromise or privilege escalation.
Likely Case
In targeted attacks, attackers may exploit this to bypass multi-factor authentication in environments with vulnerable configurations, though it requires specific non-default settings.
If Mitigated
With proper controls like network segmentation and patching, the risk is minimal as the vulnerability is limited to certain configurations and does not affect default setups.
🎯 Exploit Status
Exploitation involves replaying OTPs via the sync endpoint, which is straightforward if the vulnerable configuration is in place.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.40
Vendor Advisory: https://www.yubico.com/support/security-advisories/ysa-2020-01/
Restart Required: Yes
Instructions:
1. Download YubiKey Validation Server version 2.40 or later from the official repository. 2. Stop the current server. 3. Install the new version. 4. Restart the server to apply the patch.
🔧 Temporary Workarounds
Disable Open Sync Pool
allModify the server configuration to use a closed or restricted sync pool instead of an open one, as the vulnerability only affects open sync pools.
Edit the configuration file (e.g., /etc/yubikey-val/config.yml) to set sync pool settings to closed or restricted mode.
Network Segmentation
linuxRestrict access to the sync endpoint by implementing firewall rules to allow only trusted IP addresses.
Use iptables or similar to block external access to the sync endpoint port (e.g., iptables -A INPUT -p tcp --dport [port] -s [trusted_ip] -j ACCEPT; iptables -A INPUT -p tcp --dport [port] -j DROP)
🧯 If You Can't Patch
- Implement network controls to isolate the sync endpoint from untrusted networks.
- Monitor logs for unusual OTP replay attempts and review sync pool configurations regularly.
🔍 How to Verify
Check if Vulnerable:
Check the YubiKey Validation Server version; if it is below 2.40 and configured with an open sync pool, it is vulnerable.Check Version:
yubikey-val --version or check the server logs/configuration files for version information.Verify Fix Applied:
After patching, confirm the server version is 2.40 or higher and verify that the sync pool configuration is not open.📡 Detection & Monitoring
Log Indicators:
- Multiple OTP validation requests from the same source in a short time frame, especially targeting the sync endpoint.
Network Indicators:
- Unusual traffic patterns to the sync endpoint, such as repeated requests from external IPs.
SIEM Query:
source="yubikey-val" AND (event="sync_request" AND count > threshold) OR (message="OTP replay detected")🔗 References
- https://github.com/Yubico/yubikey-val/releases/tag/yubikey-val-2.40
- https://lists.debian.org/debian-lts-announce/2020/03/msg00014.html
- https://www.yubico.com/support/security-advisories/ysa-2020-01/
- https://github.com/Yubico/yubikey-val/releases/tag/yubikey-val-2.40
- https://lists.debian.org/debian-lts-announce/2020/03/msg00014.html
- https://www.yubico.com/support/security-advisories/ysa-2020-01/
