CVE-2019-18671 - OpenCVE

Insufficient checks in the USB packet handling of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow out-of-bounds writes in the .bss segment via crafted messages. The vulnerability could allow code execution or other forms of impact. It can be triggered by unauthenticated attackers and the interface is reachable via WebUSB.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Keepkey	Keepkey Firmware Keepkey

Configuration 1 [-]

AND

cpe:2.3:o:keepkey:keepkey_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:keepkey:keepkey:-:*:*:*:*:*:*:*

References

Link	Resource
https://blog.inhq.net/posts/keepkey-CVE-2019-18671/
https://github.com/keepkey/keepkey-firmware/commit/b222c66cdd7c3203d917c80ba615082d309d80c3	Patch Third Party Advisory
https://medium.com/shapeshift-stories/keepkey-release-notes-v-6f7d2ec78065	Release Notes Third Party Advisory
https://medium.com/shapeshift-stories/shapeshift-security-update-8ec89bb1b4e3	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-12-06T17:53:29

Updated: 2020-02-12T02:53:19

Reserved: 2019-11-02T00:00:00

Link: CVE-2019-18671

JSON object: View

NVD Information

Status : Modified

Published: 2019-12-06T18:15:12.653

Modified: 2020-02-12T03:15:10.943

Link: CVE-2019-18671

JSON object: View

Redhat Information

No data.

CWE

CWE-787

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Insufficient checks in the USB packet handling of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow out-of-bounds writes in the .bss segment via crafted messages. The vulnerability could allow code execution or other forms of impact. It can be triggered by unauthenticated attackers and the interface is reachable via WebUSB."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-12T02:53:19", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/keepkey/keepkey-firmware/commit/b222c66cdd7c3203d917c80ba615082d309d80c3"}, {"tags": ["x_refsource_MISC"], "url": "https://medium.com/shapeshift-stories/keepkey-release-notes-v-6f7d2ec78065"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://medium.com/shapeshift-stories/shapeshift-security-update-8ec89bb1b4e3"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.inhq.net/posts/keepkey-CVE-2019-18671/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18671", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Insufficient checks in the USB packet handling of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow out-of-bounds writes in the .bss segment via crafted messages. The vulnerability could allow code execution or other forms of impact. It can be triggered by unauthenticated attackers and the interface is reachable via WebUSB."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/keepkey/keepkey-firmware/commit/b222c66cdd7c3203d917c80ba615082d309d80c3", "refsource": "MISC", "url": "https://github.com/keepkey/keepkey-firmware/commit/b222c66cdd7c3203d917c80ba615082d309d80c3"}, {"name": "https://medium.com/shapeshift-stories/keepkey-release-notes-v-6f7d2ec78065", "refsource": "MISC", "url": "https://medium.com/shapeshift-stories/keepkey-release-notes-v-6f7d2ec78065"}, {"name": "https://medium.com/shapeshift-stories/shapeshift-security-update-8ec89bb1b4e3", "refsource": "CONFIRM", "url": "https://medium.com/shapeshift-stories/shapeshift-security-update-8ec89bb1b4e3"}, {"name": "https://blog.inhq.net/posts/keepkey-CVE-2019-18671/", "refsource": "MISC", "url": "https://blog.inhq.net/posts/keepkey-CVE-2019-18671/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18671", "datePublished": "2019-12-06T17:53:29", "dateReserved": "2019-11-02T00:00:00", "dateUpdated": "2020-02-12T02:53:19", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:keepkey:keepkey_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "60AB201E-BAD5-466A-8896-F17EDC53E75E", "versionEndExcluding": "6.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:keepkey:keepkey:-:*:*:*:*:*:*:*", "matchCriteriaId": "31C93828-4A0A-4B05-BFE3-9B795EAA0872", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Insufficient checks in the USB packet handling of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow out-of-bounds writes in the .bss segment via crafted messages. The vulnerability could allow code execution or other forms of impact. It can be triggered by unauthenticated attackers and the interface is reachable via WebUSB."}, {"lang": "es", "value": "Las comprobaciones insuficientes en el manejo de paquetes USB de la billetera de hardware ShapeShift KeepKey anteriores a firmware 6.2.2 permiten escrituras fuera de l\u00edmites en el segmento .bss a trav\u00e9s de mensajes especialmente dise\u00f1ados. La vulnerabilidad podr\u00eda permitir la ejecuci\u00f3n de c\u00f3digo u otras formas de impacto. Puede ser activado por atacantes no autenticados y se puede acceder a la interfaz a trav\u00e9s de WebUSB."}], "id": "CVE-2019-18671", "lastModified": "2020-02-12T03:15:10.943", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-06T18:15:12.653", "references": [{"source": "cve@mitre.org", "url": "https://blog.inhq.net/posts/keepkey-CVE-2019-18671/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/keepkey/keepkey-firmware/commit/b222c66cdd7c3203d917c80ba615082d309d80c3"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://medium.com/shapeshift-stories/keepkey-release-notes-v-6f7d2ec78065"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://medium.com/shapeshift-stories/shapeshift-security-update-8ec89bb1b4e3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}