CVE-2022-30330

Name of the Vulnerable Software and Affected Versions KeepKey firmware versions prior to 7.3.2

Description The issue is related to flaws in the supervisor interface of the KeepKey firmware, which can be exploited to bypass security restrictions on firmware operations. This can allow malicious firmware code to elevate privileges, make the device inoperable, or overwrite the trusted bootloader code, compromising the hardware wallet across reboots or storage wipes. The exploitation may require physical access, convincing the victim to install malicious firmware, or knowledge of the victim's seed phrase. The svhandler flash * address range checks in lib/board/supervise.c are mishandled, potentially allowing installed malware to persist even after wiping the device and resetting the firmware.

Recommendations For KeepKey firmware versions prior to 7.3.2, update to version 7.3.2 or later to resolve the issue. As a temporary workaround, consider restricting physical access to the device and avoiding installation of unknown or untrusted firmware.