CVE-2024-23660

The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 misuses the trezor-crypto library and consequently generates mnemonic words for which the device time is the only entropy source, leading to economic losses, as exploited in the wild in July 2023. An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets.
Configurations

Configuration 1 (hide)

cpe:2.3:a:binance:trust_wallet:0.0.4:*:*:*:*:iphone_os:*:*

History

21 Nov 2024, 08:58

Type Values Removed Values Added
References () https://milksad.info/posts/research-update-5/ - Exploit, Third Party Advisory () https://milksad.info/posts/research-update-5/ - Exploit, Third Party Advisory
References () https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/ - Exploit, Third Party Advisory () https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/ - Exploit, Third Party Advisory

15 Feb 2024, 16:01

Type Values Removed Values Added
CWE CWE-338
Summary
  • (es) La aplicación Binance Trust Wallet para iOS en el commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 hace un mal uso de la librería trezor-crypto y, en consecuencia, genera palabras mnemotécnicas para las cuales el tiempo del dispositivo es la única fuente de entropía, lo que genera pérdidas económicas, como se explotó en julio 2023. Un atacante puede generar sistemáticamente mnemónicos para cada marca de tiempo dentro de un período de tiempo aplicable y vincularlos a direcciones de billetera específicas para robar fondos de esas billeteras.
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:binance:trust_wallet:0.0.4:*:*:*:*:iphone_os:*:*
References () https://milksad.info/posts/research-update-5/ - () https://milksad.info/posts/research-update-5/ - Exploit, Third Party Advisory
References () https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/ - () https://secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/ - Exploit, Third Party Advisory
First Time Binance
Binance trust Wallet

08 Feb 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-08 20:15

Updated : 2024-11-21 08:58


NVD link : CVE-2024-23660

Mitre link : CVE-2024-23660

CVE.ORG link : CVE-2024-23660


JSON object : View

Products Affected

binance

  • trust_wallet
CWE
CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)