CVE-2020-18172 – CVE-2020-18172 is a critical code injection vul... (How to Fix)

Q: What is the severity of CVE-2020-18172?

CVE-2020-18172 has a CVSS score of 9.8 (CRITICAL). CVE-2020-18172 is a critical code injection vulnerability in Trezor Bridge 2.0.27 that allows attackers to execute arbitrary code with elevated privileges. This affects users of Trezor hardware wallets who have the vulnerable bridge software installed on their systems. Successful exploitation could lead to complete system compromise.

📋 TL;DR

CVE-2020-18172 is a critical code injection vulnerability in Trezor Bridge 2.0.27 that allows attackers to execute arbitrary code with elevated privileges. This affects users of Trezor hardware wallets who have the vulnerable bridge software installed on their systems. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Trezor Bridge

Versions: Version 2.0.27 specifically

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires SeDebugPrivilege component to be present and accessible. Trezor Bridge typically runs with elevated privileges to communicate with hardware wallet.

📦 What is this software?

Bridge by Trezor

View all CVEs affecting Bridge →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with SYSTEM/root privileges, allowing installation of persistent malware, credential theft, and lateral movement across networks.

🟠

Likely Case

Local privilege escalation enabling attackers to bypass security controls, install keyloggers, or access protected system resources.

🟢

If Mitigated

Limited impact if running with minimal privileges, but still potential for local code execution in user context.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring local access or social engineering to trigger.

🏢 Internal Only: HIGH - Malicious insiders or compromised user accounts could exploit this to gain elevated privileges on workstations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access or ability to execute code in user context. The CWE-94 (Code Injection) nature suggests relatively straightforward exploitation once initial access is achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Trezor Bridge 2.0.28 or later

Vendor Advisory: https://blog.trezor.io/security-update-trezor-bridge-2-0-28-6f2b2b3a5c5c

Restart Required: Yes

Instructions:

1. Download latest Trezor Bridge from official website 2. Uninstall previous version 3. Install new version 4. Restart system to ensure clean state

🔧 Temporary Workarounds

Remove SeDebugPrivilege

windows

Modify local security policy to remove SeDebugPrivilege from Trezor Bridge process

secedit /configure /db %windir%\security\local.sdb /cfg remove_debug.cfg /areas USER_RIGHTS

Run with Reduced Privileges

linux

Configure Trezor Bridge to run with standard user privileges instead of elevated rights

sudo chmod -R 755 /usr/local/bin/trezor-bridge
sudo chown -R $USER:$USER /usr/local/bin/trezor-bridge

🧯 If You Can't Patch

Uninstall Trezor Bridge completely if not actively using hardware wallet
Implement application whitelisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check Trezor Bridge version in About dialog or via 'trezor-bridge --version' command

Check Version:

trezor-bridge --version

Verify Fix Applied:

Confirm version is 2.0.28 or higher and verify SeDebugPrivilege is properly restricted

📡 Detection & Monitoring

Log Indicators:

Unexpected process creation with SeDebugPrivilege
Trezor Bridge spawning unexpected child processes
Access violations in application logs

Network Indicators:

Unusual outbound connections from Trezor Bridge process
DNS requests to suspicious domains

SIEM Query:

ProcessCreation WHERE ParentImage LIKE '%trezor-bridge%' AND CommandLine CONTAINS 'SeDebugPrivilege'

📊 Metadata

CVE ID: CVE-2020-18172

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: July 26, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/GitHubAssessments/CVE_07_2019/blob/master/Report.pdf Exploit,Third Party Advisory
https://github.com/GitHubAssessments/CVE_07_2019/blob/master/Report.pdf Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-18172, you might also want to check these: