Login Sign Up

CVE-2019-18672

7.5 HIGH

📋 TL;DR

This vulnerability in ShapeShift KeepKey hardware wallets allows attackers to partially reset cryptographic secrets to known values via crafted messages, breaking U2F security for new server registrations and invalidating existing ones. Unauthenticated attackers can exploit this through WebUSB, affecting all KeepKey users with firmware before 6.2.2.

💻 Affected Systems

Products:
  • ShapeShift KeepKey hardware wallet
Versions: All firmware versions before 6.2.2
Operating Systems: All operating systems supporting WebUSB
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is in the hardware wallet firmware itself, not dependent on host operating system configuration.

📦 What is this software?

Keepkey Firmware by Shapeshift

View all CVEs affecting Keepkey Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of U2F authentication for new server registrations, allowing attackers to register malicious U2F devices and potentially bypass multi-factor authentication on services using KeepKey for U2F.

🟠

Likely Case

Invalidation of existing U2F registrations requiring users to re-register their devices, and potential U2F security bypass for new registrations if exploited during device setup.

🟢

If Mitigated

No impact if firmware is updated to 6.2.2 or later before any exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires physical access or ability to send crafted messages via WebUSB interface. Public proof-of-concept exists in the referenced blog posts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2.2 and later

Vendor Advisory: https://medium.com/shapeshift-stories/shapeshift-security-update-8ec89bb1b4e3

Restart Required: Yes

Instructions:

1. Connect KeepKey to computer via USB. 2. Open KeepKey client software. 3. Check for firmware updates. 4. Install firmware version 6.2.2 or later. 5. Device will restart automatically after update.

🔧 Temporary Workarounds

Disable WebUSB access

all

Prevent browser-based attacks by disabling WebUSB access to the KeepKey device

Browser-specific: In Chrome, disable 'WebUSB' flag in chrome://flags

Physical isolation

all

Only connect KeepKey to trusted computers and disconnect when not in use

🧯 If You Can't Patch

  • Do not use KeepKey for U2F authentication until patched
  • Consider using alternative hardware wallet or U2F device for critical authentication

🔍 How to Verify

Check if Vulnerable:

Check firmware version in KeepKey client software. If version is below 6.2.2, device is vulnerable.

Check Version:

Use KeepKey client software to view device information and firmware version

Verify Fix Applied:

After updating, verify firmware version shows 6.2.2 or higher in KeepKey client.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected device resets
  • Multiple U2F registration attempts
  • WebUSB connection attempts to KeepKey device

Network Indicators:

  • WebUSB protocol traffic to KeepKey device from untrusted sources

SIEM Query:

device.vendor:"KeepKey" AND event.action:"firmware_update" OR event.action:"device_reset"

📊 Metadata

CVE ID: CVE-2019-18672
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-354
Published: December 6, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-18672, you might also want to check these:

CVE-2025-11543 9.8

This vulnerability allows attackers to bypass integrity checks and install unauthorized firmware on ...

Same vulnerability type (CWE-354)
CVE-2024-25678 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) Library involves mishandled DCID (Destination Connecti...

Same vulnerability type (CWE-354)
CVE-2025-54887 9.1

This vulnerability in the Ruby JWE library allows attackers to brute-force authentication tags in en...

Same vulnerability type (CWE-354)