CVE-2019-18672

EPSS 0.48%
Veröffentlicht 06.12.2019 18:15:12
Zuletzt bearbeitet 21.11.2024 04:33:30
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Insufficient checks in the finite state machine of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow a partial reset of cryptographic secrets to known values via crafted messages. Notably, this breaks the security of U2F for new server registrations and invalidates existing registrations. This vulnerability can be exploited by unauthenticated attackers and the interface is reachable via WebUSB.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Shapeshift ≫ Keepkey Firmware Version < 6.2.2

Shapeshift ≫ Keepkey Firmware Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.48%	0.641

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-354 Improper Validation of Integrity Check Value

The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

https://medium.com/shapeshift-stories/keepkey-release-notes-v-6f7d2ec78065

Third Party Advisory

https://medium.com/shapeshift-stories/shapeshift-security-update-8ec89bb1b4e3

Third Party Advisory

https://blog.inhq.net/posts/keepkey-CVE-2019-18672/

https://github.com/keepkey/keepkey-firmware/commit/769714fcb569e7a4faff9530a2d9ac1f9d6e5680

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-18672

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-18672

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-18672

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2019-18672