CVE-2024-23660

Exploit

EPSS 0.15%
Veröffentlicht 08.02.2024 20:15:52
Zuletzt bearbeitet 15.05.2025 20:15:44
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 misuses the trezor-crypto library and consequently generates mnemonic words for which the device time is the only entropy source, leading to economic losses, as exploited in the wild in July 2023. An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Binance ≫ Trust Wallet Version0.0.4 SwPlatformiphone_os

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.356

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

https://milksad.info/posts/research-update-5/

Third Party Advisory

Exploit

https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-23660

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-23660

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-23660

EUVD