QwikSec

Security Database

CVE

CWE

Training

CVE-2019-18672

Published: Dec 6, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

Insufficient checks in the finite state machine of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow a partial reset of cryptographic secrets to known values via crafted messages. Notably, this breaks the security of U2F for new server registrations and invalidates existing registrations. This vulnerability can be exploited by unauthenticated attackers and the interface is reachable via WebUSB.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://medium.com/shapeshift-stories/keepkey-release-notes-v-6f7d2ec78065

x_refsource_MISC

https://github.com/keepkey/keepkey-firmware/commit/769714fcb569e7a4faff9530a2d9ac1f9d6e5680

x_refsource_MISC

https://medium.com/shapeshift-stories/shapeshift-security-update-8ec89bb1b4e3

x_refsource_CONFIRM

https://blog.inhq.net/posts/keepkey-CVE-2019-18672/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.