CVE-2019-18671

Name of the Vulnerable Software and Affected Versions ShapeShift KeepKey hardware wallet versions prior to 6.2.2

Description The issue is related to insufficient checks in the USB packet handling, allowing out-of-bounds writes in the .bss segment via crafted messages. This could potentially allow code execution or other forms of impact. The vulnerability can be triggered by unauthenticated attackers and is reachable via WebUSB.

Recommendations For versions prior to 6.2.2, update the firmware to version 6.2.2 or later to resolve the issue. As a temporary workaround, consider restricting WebUSB access to the ShapeShift KeepKey hardware wallet until the firmware update is applied.