Login Sign Up

CVE-2020-12061

9.8 CRITICAL

📋 TL;DR

CVE-2020-12061 is a critical vulnerability in Nitrokey FIDO U2F firmware where communication between the microcontroller and secure element transmits credentials in plaintext. This allows attackers to eavesdrop on communications, extract stored secrets, and potentially manipulate the firmware. Users of Nitrokey FIDO U2F hardware security keys with firmware version 1.1 or earlier are affected.

💻 Affected Systems

Products:
  • Nitrokey FIDO U2F
Versions: All versions through 1.1
Operating Systems: All operating systems that support the device
Default Config Vulnerable: ⚠️ Yes
Notes: All Nitrokey FIDO U2F devices with firmware version 1.1 or earlier are vulnerable by default.

📦 What is this software?

Fido U2f Firmware by Nitrokey

View all CVEs affecting Fido U2f Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the security key, allowing attacker to extract all stored credentials, impersonate the user, and potentially install malicious firmware.

🟠

Likely Case

Attacker with physical access or proximity can extract authentication secrets and clone the security key.

🟢

If Mitigated

With proper physical security controls, risk is limited to attackers with physical access to the device during use.

🌐 Internet-Facing: LOW - This requires physical access or proximity to the device, not remote exploitation.
🏢 Internal Only: MEDIUM - Insider threats or attackers with physical access to devices could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires physical access or proximity to the device during operation. The vulnerability is well-documented in security research papers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after 1.1

Vendor Advisory: https://github.com/Nitrokey/nitrokey-fido-u2f-firmware/releases

Restart Required: Yes

Instructions:

1. Download latest firmware from Nitrokey releases page. 2. Use Nitrokey's firmware update tool. 3. Follow device-specific flashing instructions. 4. Verify firmware version after update.

🔧 Temporary Workarounds

Physical Security Controls

all

Limit physical access to devices and monitor for unauthorized device connections

🧯 If You Can't Patch

  • Retire vulnerable devices and replace with updated hardware
  • Implement additional authentication factors to reduce reliance on vulnerable keys

🔍 How to Verify

Check if Vulnerable:

Check firmware version using Nitrokey management software or command: nitrokey-fido2 status

Check Version:

nitrokey-fido2 status | grep Firmware

Verify Fix Applied:

Verify firmware version is greater than 1.1 using device management tools

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authentication attempts with security key
  • Unexpected device connection/disconnection events

Network Indicators:

  • Unusual USB device enumeration patterns
  • Suspicious physical access to devices

SIEM Query:

DeviceLogs | where DeviceType == 'SecurityKey' and FirmwareVersion <= '1.1'

📊 Metadata

CVE ID: CVE-2020-12061
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-522
Published: May 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-12061, you might also want to check these:

CVE-2024-51545 10.0

This CVE describes a username enumeration vulnerability in ABB industrial control system products th...

Same vulnerability type (CWE-522)
CVE-2021-30116 10.0

CVE-2021-30116 is an authentication bypass vulnerability in Kaseya VSA that allows unauthenticated a...

Same vulnerability type (CWE-522)
CVE-2025-0867 9.9

This vulnerability allows standard users to execute commands with administrative privileges through ...

Same vulnerability type (CWE-522)