CVE-2019-18672

HIGH

ShapeShift KeepKey <6.2.2 - Info Disclosure

Title source: llm

Description

Insufficient checks in the finite state machine of the ShapeShift KeepKey hardware wallet before firmware 6.2.2 allow a partial reset of cryptographic secrets to known values via crafted messages. Notably, this breaks the security of U2F for new server registrations and invalidates existing registrations. This vulnerability can be exploited by unauthenticated attackers and the interface is reachable via WebUSB.

References (4)

[Third Party Advisory] https://medium.com/shapeshift-stories/keepkey-release-notes-v-6f7d2ec78065

[Patch, Third Party Advisory] https://github.com/keepkey/keepkey-firmware/commit/769714fcb569e7a4faff9530a2d9ac1f9d6e5680

View Patch ZIP pw:eip

[Third Party Advisory] https://medium.com/shapeshift-stories/shapeshift-security-update-8ec89bb1b4e3

[Various Sources] https://blog.inhq.net/posts/keepkey-CVE-2019-18672/

Scores

CVSS v3 7.5

EPSS 0.0048

EPSS Percentile 65.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-354

Status published

Products (1)

shapeshift/keepkey_firmware < 6.2.2

Published Dec 06, 2019

Tracked Since Feb 18, 2026