CVE-2021-31616 - OpenCVE

Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.1.0 allow a stack buffer overflow via crafted messages. The overflow in ethereum_extractThorchainSwapData() in ethereum.c can circumvent stack protections and lead to code execution. The vulnerable interface is reachable remotely over WebUSB.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Shapeshift	Keepkey Firmware Keepkey

Configuration 1 [-]

AND

cpe:2.3:o:shapeshift:keepkey_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:shapeshift:keepkey:-:*:*:*:*:*:*:*

References

Link	Resource
https://blog.inhq.net/posts/keepkey-CVE-2021-31616/	Exploit Patch Third Party Advisory
https://github.com/keepkey/keepkey-firmware/commit/e49d45594002d4d3fbc1f03488e6dfc0a0a65836	Patch Third Party Advisory
https://github.com/keepkey/keepkey-firmware/releases/tag/v7.1.0	Release Notes Third Party Advisory
https://shapeshift.com/library/keepkey-important-update-issued-april-4-required	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-05-06T11:01:42

Updated: 2021-05-06T19:12:48

Reserved: 2021-04-23T00:00:00

Link: CVE-2021-31616

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-05-06T13:15:12.693

Modified: 2022-05-03T16:04:40.443

Link: CVE-2021-31616

JSON object: View

Redhat Information

No data.

CWE

CWE-787

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.1.0 allow a stack buffer overflow via crafted messages. The overflow in ethereum_extractThorchainSwapData() in ethereum.c can circumvent stack protections and lead to code execution. The vulnerable interface is reachable remotely over WebUSB."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-06T19:12:48", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/keepkey/keepkey-firmware/releases/tag/v7.1.0"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/keepkey/keepkey-firmware/commit/e49d45594002d4d3fbc1f03488e6dfc0a0a65836"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.inhq.net/posts/keepkey-CVE-2021-31616/"}, {"tags": ["x_refsource_MISC"], "url": "https://shapeshift.com/library/keepkey-important-update-issued-april-4-required"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-31616", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.1.0 allow a stack buffer overflow via crafted messages. The overflow in ethereum_extractThorchainSwapData() in ethereum.c can circumvent stack protections and lead to code execution. The vulnerable interface is reachable remotely over WebUSB."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/keepkey/keepkey-firmware/releases/tag/v7.1.0", "refsource": "MISC", "url": "https://github.com/keepkey/keepkey-firmware/releases/tag/v7.1.0"}, {"name": "https://github.com/keepkey/keepkey-firmware/commit/e49d45594002d4d3fbc1f03488e6dfc0a0a65836", "refsource": "MISC", "url": "https://github.com/keepkey/keepkey-firmware/commit/e49d45594002d4d3fbc1f03488e6dfc0a0a65836"}, {"name": "https://blog.inhq.net/posts/keepkey-CVE-2021-31616/", "refsource": "MISC", "url": "https://blog.inhq.net/posts/keepkey-CVE-2021-31616/"}, {"name": "https://shapeshift.com/library/keepkey-important-update-issued-april-4-required", "refsource": "MISC", "url": "https://shapeshift.com/library/keepkey-important-update-issued-april-4-required"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-31616", "datePublished": "2021-05-06T11:01:42", "dateReserved": "2021-04-23T00:00:00", "dateUpdated": "2021-05-06T19:12:48", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:shapeshift:keepkey_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD9316A0-067E-435A-8186-4F8D828D67F4", "versionEndExcluding": "7.1.0", "versionStartIncluding": "7.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:shapeshift:keepkey:-:*:*:*:*:*:*:*", "matchCriteriaId": "663CE48F-F657-40AA-8954-EADA31C9DFB1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.1.0 allow a stack buffer overflow via crafted messages. The overflow in ethereum_extractThorchainSwapData() in ethereum.c can circumvent stack protections and lead to code execution. The vulnerable interface is reachable remotely over WebUSB."}, {"lang": "es", "value": "Unas comprobaciones insuficiente de longitud en el firmware ShapeShift KeepKey versiones anteriores a 7.1.0, permiten un desbordamiento del b\u00fafer de la pila por medio de mensajes dise\u00f1ados. El desbordamiento en la funci\u00f3n ethereum_extractThorchainSwapData() en el archivo ethereum.c puede omitir las protecciones de la pila y conllevar a una ejecuci\u00f3n de c\u00f3digo. La interfaz vulnerable es accesible de forma remota por medio de WebUSB"}], "id": "CVE-2021-31616", "lastModified": "2022-05-03T16:04:40.443", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-06T13:15:12.693", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://blog.inhq.net/posts/keepkey-CVE-2021-31616/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/keepkey/keepkey-firmware/commit/e49d45594002d4d3fbc1f03488e6dfc0a0a65836"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/keepkey/keepkey-firmware/releases/tag/v7.1.0"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://shapeshift.com/library/keepkey-important-update-issued-april-4-required"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}