Details of VAR-201908-0922

ID

VAR-201908-0922

CVE

CVE-2019-14355

TITLE

ShapeShift KeepKey Information Disclosure Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-27462 // CNNVD: CNNVD-201908-658

DESCRIPTION

On ShapeShift KeepKey devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover secret data shown on the display. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. NOTE: the vendor's position is that there is "insignificant risk. ** Unsettled ** This case has not been confirmed as a vulnerability. ShapeShift KeepKey The device contains an information disclosure vulnerability. The vendor has disputed this vulnerability. For details, see NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2019-14355Information may be obtained. This vulnerability stems from configuration errors in network systems or products during operation

Trust: 2.25

sources: NVD: CVE-2019-14355 // JVNDB: JVNDB-2019-008034 // CNVD: CNVD-2019-27462 // VULHUB: VHN-146293

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-27462

AFFECTED PRODUCTS

vendor:	shapeshift	model:	keepkey	scope:	eq	version:	-	Trust: 1.0
vendor:	key hodlers	model:	keepkey	scope:	-	version:	-	Trust: 0.8
vendor:	shapeshift	model:	keepkey	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2019-27462 // JVNDB: JVNDB-2019-008034 // NVD: CVE-2019-14355

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-14355
value:	LOW
Trust: 1.0
NVD:	CVE-2019-14355
value:	LOW
Trust: 0.8
CNVD:	CNVD-2019-27462
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201908-658
value:	LOW
Trust: 0.6
VULHUB:	VHN-146293
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-14355
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-27462
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-146293
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-14355
baseSeverity:	LOW
baseScore:	2.4
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-27462 // VULHUB: VHN-146293 // JVNDB: JVNDB-2019-008034 // CNNVD: CNNVD-201908-658 // NVD: CVE-2019-14355

PROBLEMTYPE DATA

problemtype:	CWE-203	Trust: 1.0
problemtype:	CWE-200	Trust: 0.9

sources: VULHUB: VHN-146293 // JVNDB: JVNDB-2019-008034 // NVD: CVE-2019-14355

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201908-658

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008034

PATCH

title:

keepkey

url:

https://shapeshift.io/keepkey/

Trust: 0.8

sources: JVNDB: JVNDB-2019-008034

EXTERNAL IDS

db:	NVD	id:	CVE-2019-14355	Trust: 3.1
db:	JVNDB	id:	JVNDB-2019-008034	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-658	Trust: 0.7
db:	CNVD	id:	CNVD-2019-27462	Trust: 0.6
db:	VULHUB	id:	VHN-146293	Trust: 0.1

sources: CNVD: CNVD-2019-27462 // VULHUB: VHN-146293 // JVNDB: JVNDB-2019-008034 // CNNVD: CNNVD-201908-658 // NVD: CVE-2019-14355

REFERENCES

url:	https://medium.com/shapeshift-stories/shapeshift-security-update-5b0dd45c93db	Trust: 3.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-14355	Trust: 2.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14355	Trust: 0.8

sources: CNVD: CNVD-2019-27462 // VULHUB: VHN-146293 // JVNDB: JVNDB-2019-008034 // CNNVD: CNNVD-201908-658 // NVD: CVE-2019-14355

SOURCES

db:	CNVD	id:	CNVD-2019-27462
db:	VULHUB	id:	VHN-146293
db:	JVNDB	id:	JVNDB-2019-008034
db:	CNNVD	id:	CNNVD-201908-658
db:	NVD	id:	CVE-2019-14355

LAST UPDATE DATE

2024-11-23T22:11:52.265000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-27462	date:	2019-08-15T00:00:00
db:	VULHUB	id:	VHN-146293	date:	2019-08-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-008034	date:	2019-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201908-658	date:	2019-08-23T00:00:00
db:	NVD	id:	CVE-2019-14355	date:	2024-11-21T04:26:34.633

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-27462	date:	2019-08-15T00:00:00
db:	VULHUB	id:	VHN-146293	date:	2019-08-10T00:00:00
db:	JVNDB	id:	JVNDB-2019-008034	date:	2019-08-23T00:00:00
db:	CNNVD	id:	CNNVD-201908-658	date:	2019-08-10T00:00:00
db:	NVD	id:	CVE-2019-14355	date:	2019-08-10T16:15:11.300