Vulnerability Description
Onekey Touch devices through 4.0.0 and Onekey Mini devices through 2.10.0 allow man-in-the-middle attackers to obtain the seed phase. The man-in-the-middle access can only be obtained after disassembling a device (i.e., here, "man-in-the-middle" does not refer to the attacker's position on an IP network). NOTE: the vendor states that "our hardware team has updated the security patch without anyone being affected."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Onekey | Onekey Touch Firmware | <= 4.0.0 |
| Onekey | Onekey Touch | - |
| Onekey | Onekey Mini Firmware | <= 2.10.0 |
| Onekey | Onekey Mini | - |
References
- https://blog.onekey.so/our-response-to-recent-security-fix-reports-13914fea8afdVendor Advisory
- https://fortune.com/crypto/2023/02/09/cyber-firm-cracks-onekey-crypto-wallets-inThird Party Advisory
- https://github.com/OneKeyHQ/firmwareProduct
- https://blog.onekey.so/our-response-to-recent-security-fix-reports-13914fea8afdVendor Advisory
- https://fortune.com/crypto/2023/02/09/cyber-firm-cracks-onekey-crypto-wallets-inThird Party Advisory
- https://github.com/OneKeyHQ/firmwareProduct
FAQ
What is CVE-2023-25758?
CVE-2023-25758 is a vulnerability with a CVSS score of 4.2 (MEDIUM). Onekey Touch devices through 4.0.0 and Onekey Mini devices through 2.10.0 allow man-in-the-middle attackers to obtain the seed phase. The man-in-the-middle access can only be obtained after disassembl...
How severe is CVE-2023-25758?
CVE-2023-25758 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25758?
Check the references section above for vendor advisories and patch information. Affected products include: Onekey Onekey Touch Firmware, Onekey Onekey Touch, Onekey Onekey Mini Firmware, Onekey Onekey Mini.