CVE-2019-18672

Name of the Vulnerable Software and Affected Versions ShapeShift KeepKey hardware wallet versions prior to 6.2.2

Description The issue is related to insufficient checks in the finite state machine of the ShapeShift KeepKey hardware wallet. This allows a partial reset of cryptographic secrets to known values via crafted messages, which can be sent by unauthenticated attackers through the WebUSB interface. Notably, this breaks the security of U2F for new server registrations and invalidates existing registrations.

Recommendations For versions prior to 6.2.2, update the firmware to version 6.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the WebUSB interface to minimize the risk of exploitation.