« Yubico will replace your YubiKey NEO if you are using the OpenPGP applet version 1.0.9 or earlier (as described in this advisory).
[...]
The source code contains a logical flaw related to user PIN (aka PW1) verification that allows an attacker with local host privileges and/or physical proximity (NFC) to perform security operations without knowledge of the user’s PIN code.
[...]
Mitigation
The flaw is mitigated by the fact that an attacker would typically require some abilities that would enable the attack even without the logical flaw.
In particular, any attacker with access to the local host must be assumed to be able to learn the user’s PIN code, simply by intercepting communication with the OpenPGP card hardware or through key logging.
Alternatively, if the attacker has physical proximity to the card, it could wait for the device to be used normally over NFC and then learn the PIN code wirelessly and perform the attack at a later point.
If your device is stolen, attackers may use it to perform private-key operations. If an attacker has gone through the trouble of obtaining physical access to a key, the conservative approach is to regard it is possible that the attacker were able to learn the PIN earlier since the PIN is often unprotected. In situations like this, you should treat the key as potentially compromised and revoke the key.
[...]
You may check the applet version with the following command.
$ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
D[0000] 01 00 06 90 00 .....
OK
The string "01 00 06" means version 1.0.6, which would be affected by this problem. »
Sat Nov 14 22:14:47 2015 - permalink -
-
https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html