Vulnerability Details : CVE-2023-27892
Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.7.0 allow a global buffer overflow via crafted messages. Flaws in cf_confirmExecTx() in ethereum_contracts.c can be used to reveal arbitrary microcontroller memory on the device screen or crash the device. With physical access to a PIN-unlocked device, attackers can extract the BIP39 mnemonic secret from the hardware wallet.
Vulnerability category: Overflow
Products affected by CVE-2023-27892
- cpe:2.3:o:shapeshift:keepkey_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-27892
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 25 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-27892
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.8
|
LOW | CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N |
0.2
|
3.6
|
MITRE | |
5.7
|
MEDIUM | CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H |
0.5
|
5.2
|
NIST |
CWE ids for CVE-2023-27892
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-27892
-
https://blog.inhq.net/posts/keepkey-CVE-2023-27892/
KeepKey Memory Exfiltration Vulnerability (CVE-2023-27892) | invd blogExploit;Third Party Advisory
-
https://github.com/keepkey/keepkey-firmware/pull/337
remove obsolete cfunc code by markrypt0 · Pull Request #337 · keepkey/keepkey-firmware · GitHubPatch
Jump to