CVE-2022-30330 Information
Jun 07, 2022
cve
Description
In the KeepKey firmware before 7.3.2 the bootloader can be exploited in unusual situations in which the attacker has physical access convinces the victim to install malicious firmware or has unspecified other capabilities. lib/board/supervise.c mishandles svhandler_flash_ address range checks. If exploited any installed malware could persist even after wiping the device and resetting the firmware.
CVSS Vector
CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Reference
https://github.com/keepkey/keepkey-firmware/releases/tag/v7.3.2 https://github.com/keepkey/keepkey-firmware/commit/447c1f038a31378ab9589965c098467d9ea6cccc https://blog.inhq.net/posts/keepkey-CVE-2022-30330/
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
6.6
Share on: