CVE-2019-18672 : Vulnerability Insights and Analysis
Learn about CVE-2019-18672, a vulnerability in ShapeShift KeepKey hardware wallet before firmware 6.2.2 allowing unauthorized access via WebUSB. Find out the impact, affected systems, exploitation mechanism, and mitigation steps.
Before firmware version 6.2.2, ShapeShift KeepKey hardware wallet had a vulnerability that allowed unauthorized access through WebUSB.
Understanding CVE-2019-18672
This CVE describes a security vulnerability in the ShapeShift KeepKey hardware wallet before firmware version 6.2.2.
What is CVE-2019-18672?
- Insufficient checks in the finite state machine of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allowed a partial reset of cryptographic secrets to known values via crafted messages.
- This vulnerability compromised the security of U2F for new server registrations and invalidated existing registrations.
- Unauthorized attackers could exploit this vulnerability to access the interface through WebUSB.
The Impact of CVE-2019-18672
- The vulnerability enabled attackers to manipulate messages to reset cryptographic secrets, compromising the security of U2F registrations.
- Unauthorized access through WebUSB could lead to potential security breaches and unauthorized access to the hardware wallet.
Technical Details of CVE-2019-18672
This section provides technical details of the CVE-2019-18672 vulnerability.
Vulnerability Description
- Lack of thorough verifications in the ShapeShift KeepKey hardware wallet's finite state machine before firmware version 6.2.2.
- Incomplete reset of cryptographic secrets through carefully manipulated messages.
- Compromises the security of U2F during new server registrations and invalidates existing registrations.
Affected Systems and Versions
- Product: ShapeShift KeepKey hardware wallet
- Vendor: ShapeShift
- Versions affected: Before firmware version 6.2.2
Exploitation Mechanism
- Attackers could exploit the vulnerability by sending carefully crafted messages to the hardware wallet, enabling unauthorized access through WebUSB.
Mitigation and Prevention
Protecting against CVE-2019-18672 requires immediate steps and long-term security practices.
Immediate Steps to Take
- Update the firmware of the ShapeShift KeepKey hardware wallet to version 6.2.2 or newer.
- Avoid connecting the hardware wallet to untrusted devices or networks.
- Monitor for any unauthorized access or unusual activity on the device.
Long-Term Security Practices
- Regularly update firmware and security patches for the hardware wallet.
- Educate users on safe practices for using hardware wallets and avoiding potential security risks.
Patching and Updates
- ShapeShift released firmware version 6.2.2 to address the vulnerability.
- Users should promptly update their hardware wallets to the latest firmware version to mitigate the risk of exploitation.