Vulnerability Description
Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.7.0 allow a global buffer overflow via crafted messages. Flaws in cf_confirmExecTx() in ethereum_contracts.c can be used to reveal arbitrary microcontroller memory on the device screen or crash the device. With physical access to a PIN-unlocked device, attackers can extract the BIP39 mnemonic secret from the hardware wallet.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Shapeshift | Keepkey Firmware | >= 7.5.2, < 7.7.0 |
| Shapeshift | Keepkey | - |
Related Weaknesses (CWE)
References
- https://blog.inhq.net/posts/keepkey-CVE-2023-27892/ExploitThird Party Advisory
- https://github.com/keepkey/keepkey-firmware/pull/337Patch
- https://blog.inhq.net/posts/keepkey-CVE-2023-27892/ExploitThird Party Advisory
- https://github.com/keepkey/keepkey-firmware/pull/337Patch
FAQ
What is CVE-2023-27892?
CVE-2023-27892 is a vulnerability with a CVSS score of 3.8 (LOW). Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.7.0 allow a global buffer overflow via crafted messages. Flaws in cf_confirmExecTx() in ethereum_contracts.c can ...
How severe is CVE-2023-27892?
CVE-2023-27892 has been rated LOW with a CVSS base score of 3.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-27892?
Check the references section above for vendor advisories and patch information. Affected products include: Shapeshift Keepkey Firmware, Shapeshift Keepkey.