https://www.zdnet.com/article/yubico-to-replace-vulnerable-yubikey-fips-security-keys/
By Catalin Cimpanu
Zero Day
ZDNet News
June 13, 2019
Yubico said today it plans to replace certain hardware security keys
because of a firmware flaw that reduces the randomness of cryptographic
keys generated by its devices.
Affected products include models part of the YubiKey FIPS Series, a line
of YubiKey authentication keys certified for use on US government networks
(and others) according to the US government's Federal Information
Processing Standards (FIPS).
BOOT-UP BUG TEMPORARILY REDUCES CRYPTO KEY RANDOMNESS
According to a Yubico security advisory published today, YubiKey FIPS
Series devices that run firmware version 4.4.2 and 4.4.4 contain a bug
that keeps "some predictable content" inside the device's data buffer
after the power-up operation.
This "predictable content" will influence the randomness of cryptographic
keys generated on the device for a short period after the boot-up, until
the "predictable content" is all used up, and true random data is present
in the buffer.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
