Vulnerability Details : CVE-2023-25758
Onekey Touch devices through 4.0.0 and Onekey Mini devices through 2.10.0 allow man-in-the-middle attackers to obtain the seed phase. The man-in-the-middle access can only be obtained after disassembling a device (i.e., here, "man-in-the-middle" does not refer to the attacker's position on an IP network). NOTE: the vendor states that "our hardware team has updated the security patch without anyone being affected."
Products affected by CVE-2023-25758
- cpe:2.3:o:onekey:onekey_touch_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:onekey:onekey_mini_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-25758
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 23 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-25758
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.2
|
MEDIUM | CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
0.5
|
3.6
|
NIST |
References for CVE-2023-25758
-
https://github.com/OneKeyHQ/firmware
GitHub - OneKeyHQ/firmwareProduct
-
https://blog.onekey.so/our-response-to-recent-security-fix-reports-13914fea8afd
Our Response to Recent Security Fix Reports | by Masa | Feb, 2023 | OneKeyVendor Advisory
-
https://fortune.com/crypto/2023/02/09/cyber-firm-cracks-onekey-crypto-wallets-in-video-raises-questions-hardware-security/amp/
Cyber firm cracks OneKey crypto wallets, raises broader questions of hardware security | FortuneThird Party Advisory
Jump to