Vulnerability Details : CVE-2022-30330
Potential exploit
In the KeepKey firmware before 7.3.2,Flaws in the supervisor interface can be exploited to bypass important security restrictions on firmware operations. Using these flaws, malicious firmware code can elevate privileges, permanently make the device inoperable or overwrite the trusted bootloader code to compromise the hardware wallet across reboots or storage wipes.
Products affected by CVE-2022-30330
- cpe:2.3:o:keepkey:keepkey_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-30330
0.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 1 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-30330
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.9
|
MEDIUM | AV:L/AC:M/Au:N/C:C/I:C/A:C |
3.4
|
10.0
|
NIST | |
|
6.6
|
MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
0.7
|
5.9
|
NIST |
CWE ids for CVE-2022-30330
-
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-30330
-
https://blog.inhq.net/posts/keepkey-CVE-2022-30330/
KeepKey Supervisor Vulnerabilities (CVE-2022-30330) | invd blogExploit;Patch;Third Party Advisory
-
https://github.com/keepkey/keepkey-firmware/commit/447c1f038a31378ab9589965c098467d9ea6cccc
fix: more robust address range checks in svhandler_flash_* · keepkey/keepkey-firmware@447c1f0 · GitHubPatch;Third Party Advisory
-
https://github.com/keepkey/keepkey-firmware/releases/tag/v7.3.2
Release Release v7.3.2 / Bootloader v2.1.4 · keepkey/keepkey-firmware · GitHubRelease Notes;Third Party Advisory
Jump to