Details of VAR-201908-0921

ID

VAR-201908-0921

CVE

CVE-2019-14354

TITLE

Ledger Nano S and Nano X device Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2019-008033

DESCRIPTION

On Ledger Nano S and Nano X devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. Unauthorized attackers can exploit the vulnerability to obtain sensitive information about affected components. This vulnerability stems from configuration errors in network systems or products during operation

Trust: 2.25

sources: NVD: CVE-2019-14354 // JVNDB: JVNDB-2019-008033 // CNVD: CNVD-2019-41835 // VULHUB: VHN-146292

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-41835

AFFECTED PRODUCTS

vendor:	ledger	model:	nano s	scope:	eq	version:	-	Trust: 1.0
vendor:	ledger	model:	nano x	scope:	eq	version:	-	Trust: 1.0
vendor:	ledger sas	model:	nano s	scope:	-	version:	-	Trust: 0.8
vendor:	ledger sas	model:	nano x	scope:	-	version:	-	Trust: 0.8
vendor:	ledger	model:	sas nano s	scope:	-	version:	-	Trust: 0.6
vendor:	ledger	model:	sas nano	scope:	eq	version:	x	Trust: 0.6

sources: CNVD: CNVD-2019-41835 // JVNDB: JVNDB-2019-008033 // NVD: CVE-2019-14354

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-14354
value:	LOW
Trust: 1.0
NVD:	CVE-2019-14354
value:	LOW
Trust: 0.8
CNVD:	CNVD-2019-41835
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201908-660
value:	LOW
Trust: 0.6
VULHUB:	VHN-146292
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-14354
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-41835
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-146292
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-14354
baseSeverity:	LOW
baseScore:	2.4
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-41835 // VULHUB: VHN-146292 // JVNDB: JVNDB-2019-008033 // CNNVD: CNNVD-201908-660 // NVD: CVE-2019-14354

PROBLEMTYPE DATA

problemtype:	CWE-203	Trust: 1.0
problemtype:	CWE-200	Trust: 0.9

sources: VULHUB: VHN-146292 // JVNDB: JVNDB-2019-008033 // NVD: CVE-2019-14354

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201908-660

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008033

PATCH

title:

OLED screen (minor) vulnerability

url:

https://ledger-donjon.github.io/oled-vuln/

Trust: 0.8

sources: JVNDB: JVNDB-2019-008033

EXTERNAL IDS

db:	NVD	id:	CVE-2019-14354	Trust: 3.1
db:	JVNDB	id:	JVNDB-2019-008033	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-660	Trust: 0.7
db:	CNVD	id:	CNVD-2019-41835	Trust: 0.6
db:	VULHUB	id:	VHN-146292	Trust: 0.1

sources: CNVD: CNVD-2019-41835 // VULHUB: VHN-146292 // JVNDB: JVNDB-2019-008033 // CNNVD: CNNVD-201908-660 // NVD: CVE-2019-14354

REFERENCES

url:	https://ledger-donjon.github.io/oled-vuln/	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14354	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14354	Trust: 0.8

sources: CNVD: CNVD-2019-41835 // VULHUB: VHN-146292 // JVNDB: JVNDB-2019-008033 // CNNVD: CNNVD-201908-660 // NVD: CVE-2019-14354

SOURCES

db:	CNVD	id:	CNVD-2019-41835
db:	VULHUB	id:	VHN-146292
db:	JVNDB	id:	JVNDB-2019-008033
db:	CNNVD	id:	CNNVD-201908-660
db:	NVD	id:	CVE-2019-14354

LAST UPDATE DATE

2024-11-23T22:37:44.285000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-41835	date:	2019-11-22T00:00:00
db:	VULHUB	id:	VHN-146292	date:	2019-08-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-008033	date:	2019-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201908-660	date:	2019-08-23T00:00:00
db:	NVD	id:	CVE-2019-14354	date:	2024-11-21T04:26:34.487

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-41835	date:	2019-11-22T00:00:00
db:	VULHUB	id:	VHN-146292	date:	2019-08-10T00:00:00
db:	JVNDB	id:	JVNDB-2019-008033	date:	2019-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201908-660	date:	2019-08-10T00:00:00
db:	NVD	id:	CVE-2019-14354	date:	2019-08-10T16:15:10.770