CVE-2022-30330

In the KeepKey firmware before 7.3.2,Flaws in the supervisor interface can be exploited to bypass important security restrictions on firmware operations. Using these flaws, malicious firmware code can elevate privileges, permanently make the device inoperable or overwrite the trusted bootloader code to compromise the hardware wallet across reboots or storage wipes.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:keepkey:keepkey_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:keepkey:keepkey:-:*:*:*:*:*:*:*

History

08 Aug 2023, 14:22

Type Values Removed Values Added
References (MISC) https://blog.inhq.net/posts/keepkey-CVE-2022-30330/ - (MISC) https://blog.inhq.net/posts/keepkey-CVE-2022-30330/ - Exploit, Patch, Third Party Advisory
CWE CWE-668 CWE-20

05 Jul 2022, 12:15

Type Values Removed Values Added
Summary In the KeepKey firmware before 7.3.2, the bootloader can be exploited in unusual situations in which the attacker has physical access, convinces the victim to install malicious firmware, or has unspecified other capabilities. lib/board/supervise.c mishandles svhandler_flash_* address range checks. If exploited, any installed malware could persist even after wiping the device and resetting the firmware. In the KeepKey firmware before 7.3.2,Flaws in the supervisor interface can be exploited to bypass important security restrictions on firmware operations. Using these flaws, malicious firmware code can elevate privileges, permanently make the device inoperable or overwrite the trusted bootloader code to compromise the hardware wallet across reboots or storage wipes.

19 May 2022, 01:15

Type Values Removed Values Added
References
  • (MISC) https://blog.inhq.net/posts/keepkey-CVE-2022-30330/ -

17 May 2022, 16:55

Type Values Removed Values Added
CWE CWE-668
CVSS v2 : unknown
v3 : unknown
v2 : 6.9
v3 : 6.6
CPE cpe:2.3:h:keepkey:keepkey:-:*:*:*:*:*:*:*
cpe:2.3:o:keepkey:keepkey_firmware:*:*:*:*:*:*:*:*
References (MISC) https://github.com/keepkey/keepkey-firmware/commit/447c1f038a31378ab9589965c098467d9ea6cccc - (MISC) https://github.com/keepkey/keepkey-firmware/commit/447c1f038a31378ab9589965c098467d9ea6cccc - Patch, Third Party Advisory
References (MISC) https://github.com/keepkey/keepkey-firmware/releases/tag/v7.3.2 - (MISC) https://github.com/keepkey/keepkey-firmware/releases/tag/v7.3.2 - Release Notes, Third Party Advisory

09 May 2022, 07:15

Type Values Removed Values Added
Summary In the KeepKey firmware before 7.3.2, the bootloader can be exploited in unusual situations in which the attacker has physical access, convinces the victim to install malicious firmware, or knows the victim's seed phrase. lib/board/supervise.c mishandles svhandler_flash_* address range checks. If exploited, any installed malware could persist even after wiping the device and resetting the firmware. In the KeepKey firmware before 7.3.2, the bootloader can be exploited in unusual situations in which the attacker has physical access, convinces the victim to install malicious firmware, or has unspecified other capabilities. lib/board/supervise.c mishandles svhandler_flash_* address range checks. If exploited, any installed malware could persist even after wiping the device and resetting the firmware.

07 May 2022, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-05-07 04:15

Updated : 2024-02-04 22:29


NVD link : CVE-2022-30330

Mitre link : CVE-2022-30330

CVE.ORG link : CVE-2022-30330


JSON object : View

Products Affected

keepkey

  • keepkey
  • keepkey_firmware
CWE
CWE-20

Improper Input Validation