Christian Reitter

**Name of the Vulnerable Software and Affected Versions** YubiHSM 2 SDK versions through 2023.01 **Description** The PKCS11 module of the YubiHSM 2 SDK does not properly validate the length of specific read operations on object metadata. This may lead to disclosure of uninitialized and previously used memory. **Recommendations** For YubiHSM 2 SDK versions through 2023.01, consider updating to a version later than 2023.01 to resolve the issue. As a temporary workaround, restrict access to the PKCS11 module to minimize the risk of exploitation. At the moment, there is no information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** ShapeShift KeepKey hardware wallet versions prior to 7.7.0 **Description** The issue is related to insufficient length checks in the firmware, allowing a global buffer overflow via crafted messages. Flaws in the `cf confirmExecTx()` function in `ethereum contracts.c` can reveal arbitrary microcontroller memory on the device screen or crash the device. With physical access to a PIN-unlocked device, attackers can extract the BIP39 mnemonic secret from the hardware wallet. **Recommendations** For versions prior to 7.7.0, update the firmware to version 7.7.0 or later to resolve the issue. As a temporary workaround, consider restricting physical access to the device and keeping it PIN-locked to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** KeepKey firmware versions prior to 7.3.2 **Description** The issue is related to flaws in the supervisor interface of the KeepKey firmware, which can be exploited to bypass security restrictions on firmware operations. This can allow malicious firmware code to elevate privileges, make the device inoperable, or overwrite the trusted bootloader code, compromising the hardware wallet across reboots or storage wipes. The exploitation may require physical access, convincing the victim to install malicious firmware, or knowledge of the victim's seed phrase. The `svhandler flash *` address range checks in `lib/board/supervise.c` are mishandled, potentially allowing installed malware to persist even after wiping the device and resetting the firmware. **Recommendations** For KeepKey firmware versions prior to 7.3.2, update to version 7.3.2 or later to resolve the issue. As a temporary workaround, consider restricting physical access to the device and avoiding installation of unknown or untrusted firmware.

**Name of the Vulnerable Software and Affected Versions** Yubico YubiHSM YubiHSM2 library version 2021.08 **Description** The issue arises from improper validation of the length of certain operations, including SSH signing requests and data operations received from a YubiHSM 2 device. This affects the Yubico YubiHSM YubiHSM2 library included in the yubihsm-shell project. **Recommendations** For Yubico YubiHSM YubiHSM2 library version 2021.08, consider updating to a newer version that properly validates the length of operations to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Yubico yubihsm-shell versions 2.0.0 through 2.0.3 Description: An issue was discovered in the send secure msg() function. The function does not correctly validate the embedded length field of an authenticated message received from the device, which can trigger an integer overflow. This causes CRYPTO cbc128 decrypt (in OpenSSL) to encounter an undersized buffer and experience a segmentation fault. The yubihsm-shell project is included in the YubiHSM 2 SDK product. Recommendations: For versions 2.0.0 through 2.0.3, as a temporary workaround, consider disabling the send secure msg() function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ShapeShift KeepKey hardware wallet firmware versions prior to 7.1.0 **Description** The issue is related to insufficient length checks in the firmware, allowing a stack buffer overflow via crafted messages. This overflow occurs in the `ethereum extractThorchainSwapData()` function in `ethereum.c` and can circumvent stack protections, leading to code execution. The vulnerable interface is reachable remotely over WebUSB. **Recommendations** For versions prior to 7.1.0, update the firmware to version 7.1.0 or later to resolve the issue. As a temporary workaround, consider disabling the `ethereum extractThorchainSwapData()` function until a patch is available. Restrict access to the WebUSB interface to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Yubico yubihsm-shell versions 2.0.0 through 2.0.3 Description: An issue was discovered in the send secure msg() function. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes remove padding() can crash the running process, depending on the memory layout. This could be used by an attacker to cause a client-side denial of service. The yubihsm-shell project is included in the YubiHSM 2 SDK product. Recommendations: For versions 2.0.0 through 2.0.3, as a temporary workaround, consider disabling the send secure msg() function until a patch is available. Restrict access to the vulnerable function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** yubihsm-shell versions prior to 2.0.3 **Description** An issue in the yh create session() function allows an attacker to cause a denial of service attack by exploiting out-of-bounds read and write operations in the session array. This occurs when the function fails to explicitly check the returned session id from the device, potentially leading to an invalid session id. **Recommendations** For yubihsm-shell versions prior to 2.0.3, update to version 2.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the yh create session() function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GoPro gpmf-parser versions 1.5 and earlier **Description** The issue is related to a stack out-of-bounds write vulnerability in the `GPMF ExpandComplexTYPE()` function. This vulnerability can be triggered by parsing malicious input, which may result in a crash or potentially allow arbitrary code execution. **Recommendations** For GoPro gpmf-parser versions 1.5 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** yubihsm-shell versions prior to 2.0.3 **Description** An issue was discovered in the `send secure msg()` function. The function does not validate the embedded length field of a message received from the device, which could lead to an oversized `memcpy()` call that will crash the running process. This could be used by an attacker to cause a denial of service. **Recommendations** For versions prior to 2.0.3, update to version 2.0.3 or later to resolve the issue. As a temporary workaround, consider disabling the `send secure msg()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Yubico libykpiv versions prior to 2.1.0 **Description** An issue was discovered in the ykpiv util generate key() function in lib/util.c, where incorrect error handling code can trigger an incorrect free(). This could be used to cause a denial of service attack. **Recommendations** For versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the ykpiv util generate key() function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ShapeShift KeepKey hardware wallet versions prior to 6.2.2 **Description** The issue is related to insufficient checks in the USB packet handling, allowing out-of-bounds writes in the .bss segment via crafted messages. This could potentially allow code execution or other forms of impact. The vulnerability can be triggered by unauthenticated attackers and is reachable via WebUSB. **Recommendations** For versions prior to 6.2.2, update the firmware to version 6.2.2 or later to resolve the issue. As a temporary workaround, consider restricting WebUSB access to the ShapeShift KeepKey hardware wallet until the firmware update is applied.

**Name of the Vulnerable Software and Affected Versions** ShapeShift KeepKey hardware wallet versions prior to 6.2.2 **Description** The issue is related to insufficient checks in the finite state machine of the ShapeShift KeepKey hardware wallet. This allows a partial reset of cryptographic secrets to known values via crafted messages, which can be sent by unauthenticated attackers through the WebUSB interface. Notably, this breaks the security of U2F for new server registrations and invalidates existing registrations. **Recommendations** For versions prior to 6.2.2, update the firmware to version 6.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the WebUSB interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SHIFT BitBox02 (affected versions not specified) **Description** A side channel was discovered related to the row-based OLED display on the device. The power consumption of each display cycle varies based on the number of illuminated pixels, potentially allowing for a partial recovery of display contents. This could be exploited by a hardware implant in the USB cable to recover confidential secrets like the PIN and BIP39 mnemonic, but only if the attacker has control over the device's USB connection at the time secret data is displayed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Coldcard MK1 and MK2 devices (affected versions not specified) **Description** A side channel vulnerability was found in the row-based OLED display of Coldcard devices. The power consumption of each display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. This could potentially be exploited by an attacker with control over the device's USB connection to recover confidential secrets, such as the PIN and BIP39 mnemonic, when secret data is displayed. The issue is only relevant in specific circumstances where the attacker has sufficient control over the device's USB connection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BC Vault (affected versions not specified) **Description** A side channel was discovered related to the row-based SSD1309 OLED display on BC Vault devices. The power consumption during each display cycle varies based on the number of illuminated pixels, potentially allowing for a partial recovery of the display contents. This could be exploited, for example, by a hardware implant in the USB cable to recover data values, but it requires the attacker to have control over the device's USB connection at the time secret data is displayed. The vendor believes there is no significant security impact, as the only potentially leaked information could be the number of characters in the PIN. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mooltipass Mini (affected versions not specified) **Description** A side channel was discovered related to the row-based OLED display on Mooltipass Mini devices. The power consumption of each display cycle varies based on the number of illuminated pixels, potentially allowing for the partial recovery of display contents. This could be exploited by a hardware implant in the USB cable to recover confidential secrets, such as the PIN, if the attacker has control over the device's USB connection during the display of secret data. The vendor considers this attack not "realistically implementable." **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Yubico libu2f-host version 1.1.6 **Description** The issue is related to unchecked buffers in the devs.c file, which could lead to a buffer overflow. This could allow a malicious token to attempt to execute malicious code using a crafted USB device masquerading as a security token on a computer where the affected library is in use. The attack cannot be performed with a genuine YubiKey. The vulnerability is associated with a buffer overflow in the dev.c software, which may allow an attacker to execute arbitrary code. **Recommendations** For Yubico libu2f-host version 1.1.6, consider disabling the use of the devs.c file or restricting access to the library until a patch is available. As a temporary workaround, avoid using the affected library with untrusted USB devices. At the moment, there is no information about a newer version that contains a fix for this vulnerability.