Vulnerability Details CVE-2023-25758
Onekey Touch devices through 4.0.0 and Onekey Mini devices through 2.10.0 allow man-in-the-middle attackers to obtain the seed phase. The man-in-the-middle access can only be obtained after disassembling a device (i.e., here, "man-in-the-middle" does not refer to the attacker's position on an IP network). NOTE: the vendor states that "our hardware team has updated the security patch without anyone being affected."
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 24.6%
CVSS Severity
CVSS v3 Score 4.2
References
- https://blog.onekey.so/our-response-to-recent-security-fix-reports-13914fea8afd
- https://fortune.com/crypto/2023/02/09/cyber-firm-cracks-onekey-crypto-wallets-in-video-raises-questions-hardware-security/amp/
- https://github.com/OneKeyHQ/firmware
- https://blog.onekey.so/our-response-to-recent-security-fix-reports-13914fea8afd
- https://fortune.com/crypto/2023/02/09/cyber-firm-cracks-onekey-crypto-wallets-in-video-raises-questions-hardware-security/amp/
- https://github.com/OneKeyHQ/firmware
Products affected by CVE-2023-25758
-
cpe:2.3:h:onekey:onekey_mini:-
-
cpe:2.3:h:onekey:onekey_touch:-
-
cpe:2.3:o:onekey:onekey_mini_firmware:-
-
cpe:2.3:o:onekey:onekey_mini_firmware:2.10.0
-
cpe:2.3:o:onekey:onekey_mini_firmware:2.3.0
-
cpe:2.3:o:onekey:onekey_mini_firmware:2.4.0
-
cpe:2.3:o:onekey:onekey_mini_firmware:2.5.0
-
cpe:2.3:o:onekey:onekey_mini_firmware:2.6.0
-
cpe:2.3:o:onekey:onekey_mini_firmware:2.7.0
-
cpe:2.3:o:onekey:onekey_mini_firmware:2.8.0
-
cpe:2.3:o:onekey:onekey_touch_firmware:-
-
cpe:2.3:o:onekey:onekey_touch_firmware:3.4.0
-
cpe:2.3:o:onekey:onekey_touch_firmware:4.0.0