Sign-up

ID

VAR-201912-0695


CVE

CVE-2019-18672


TITLE

ShapeShift KeepKey hardware wallet Vulnerabilities related to incomplete data integrity verification

Trust: 0.8

sources: JVNDB: JVNDB-2019-013332

DESCRIPTION

Insufficient checks in the finite state machine of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow a partial reset of cryptographic secrets to known values via crafted messages. Notably, this breaks the security of U2F for new server registrations and invalidates existing registrations. This vulnerability can be exploited by unauthenticated attackers and the interface is reachable via WebUSB. ShapeShift KeepKey hardware wallet Contains a vulnerability related to incomplete data integrity verification.Information may be tampered with. ShapeShift KeepKey is an e-wallet device for cryptocurrency storage. There is an unknown vulnerability in the ShapeShift KeepKey finite state machine, which is caused by the program not being fully verified. An attacker could use this vulnerability to reset a part of the encryption key to a known value using a specially crafted message

Trust: 2.16

sources: NVD: CVE-2019-18672 // JVNDB: JVNDB-2019-013332 // CNVD: CNVD-2020-00494

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-00494

AFFECTED PRODUCTS

vendor:shapeshiftmodel:keepkeyscope:ltversion:6.2.2

Trust: 1.6

vendor:key hodlersmodel:keepkeyscope:eqversion:6.2.2

Trust: 0.8

vendor:shapeshiftmodel:keepkeyscope:eqversion:4.0.0

Trust: 0.6

vendor:shapeshiftmodel:keepkeyscope:eqversion:3.1.0

Trust: 0.6

vendor:shapeshiftmodel:keepkeyscope:eqversion:5.1.2

Trust: 0.6

vendor:shapeshiftmodel:keepkeyscope:eqversion:5.1.0

Trust: 0.6

vendor:shapeshiftmodel:keepkeyscope:eqversion:4.0.3

Trust: 0.6

vendor:shapeshiftmodel:keepkeyscope:eqversion:5.0.0

Trust: 0.6

vendor:shapeshiftmodel:keepkeyscope:eqversion:5.1.1

Trust: 0.6

vendor:shapeshiftmodel:keepkeyscope:eqversion:5.0.1

Trust: 0.6

vendor:shapeshiftmodel:keepkeyscope:eqversion:5.2.4

Trust: 0.6

vendor:shapeshiftmodel:keepkeyscope:eqversion:4.0.1

Trust: 0.6

sources: CNVD: CNVD-2020-00494 // JVNDB: JVNDB-2019-013332 // CNNVD: CNNVD-201912-269 // NVD: CVE-2019-18672

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-18672
value: HIGH

Trust: 1.0

NVD: CVE-2019-18672
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-00494
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201912-269
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-18672
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-00494
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-18672
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2019-18672
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-00494 // JVNDB: JVNDB-2019-013332 // CNNVD: CNNVD-201912-269 // NVD: CVE-2019-18672

PROBLEMTYPE DATA

problemtype:CWE-354

Trust: 1.8

sources: JVNDB: JVNDB-2019-013332 // NVD: CVE-2019-18672

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-269

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201912-269

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-013332

PATCH
title:firmware: stronger recovery state machine checksurl:https://github.com/keepkey/keepkey-firmware/commit/769714fcb569e7a4faff9530a2d9ac1f9d6e5680
Trust: 0.8
title:Patch for Unknown vulnerability in ShapeShift KeepKey finite state machineurl:https://www.cnvd.org.cn/patchInfo/show/195943
Trust: 0.6
title:ShapeShift KeepKey finite state machine Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=105468
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-00494 // 
            
            
            
            JVNDB: JVNDB-2019-013332 // 
            
            
            
            CNNVD: CNNVD-201912-269

EXTERNAL IDS
db:NVDid:CVE-2019-18672
Trust: 3.0
db:JVNDBid:JVNDB-2019-013332
Trust: 0.8
db:CNVDid:CNVD-2020-00494
Trust: 0.6
db:CNNVDid:CNNVD-201912-269
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-00494 // 
            
            
            
            JVNDB: JVNDB-2019-013332 // 
            
            
            
            CNNVD: CNNVD-201912-269 // 
            
            
            
            NVD: CVE-2019-18672

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2019-18672
Trust: 2.0
url:https://medium.com/shapeshift-stories/shapeshift-security-update-8ec89bb1b4e3
Trust: 1.6
url:https://medium.com/shapeshift-stories/keepkey-release-notes-v-6f7d2ec78065
Trust: 1.6
url:https://blog.inhq.net/posts/keepkey-cve-2019-18672/
Trust: 1.6
url:https://github.com/keepkey/keepkey-firmware/commit/769714fcb569e7a4faff9530a2d9ac1f9d6e5680
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18672
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2020-00494 // 
            
            
            
            JVNDB: JVNDB-2019-013332 // 
            
            
            
            CNNVD: CNNVD-201912-269 // 
            
            
            
            NVD: CVE-2019-18672

SOURCES
db:CNVDid:CNVD-2020-00494
db:JVNDBid:JVNDB-2019-013332
db:CNNVDid:CNNVD-201912-269
db:NVDid:CVE-2019-18672

LAST UPDATE DATE
2024-11-23T22:55:20.050000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-00494date:2020-01-03T00:00:00
db:JVNDBid:JVNDB-2019-013332date:2019-12-25T00:00:00
db:CNNVDid:CNNVD-201912-269date:2020-03-03T00:00:00
db:NVDid:CVE-2019-18672date:2024-11-21T04:33:30.100

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-00494date:2020-01-03T00:00:00
db:JVNDBid:JVNDB-2019-013332date:2019-12-25T00:00:00
db:CNNVDid:CNNVD-201912-269date:2019-12-06T00:00:00
db:NVDid:CVE-2019-18672date:2019-12-06T18:15:12.700