Login Sign Up

CVE-2023-39910

7.5 HIGH

📋 TL;DR

This vulnerability allows attackers to recover private keys from cryptocurrency wallets generated using Libbitcoin Explorer's 'bx seed' command due to weak entropy seeding. Anyone who used 'bx seed' in affected versions to generate wallet seeds is at risk of having their funds stolen. The vulnerability was actively exploited in mid-2023.

💻 Affected Systems

Products:
  • Libbitcoin Explorer
Versions: 3.0.0 through 3.6.0
Operating Systems: All platforms running Libbitcoin Explorer
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users who generated wallet seeds using the 'bx seed' command. The vendor claims documentation warned against using this command, but it was still widely used.

📦 What is this software?

Libbitcoin Explorer by Libbitcoin

View all CVEs affecting Libbitcoin Explorer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of all cryptocurrency funds from wallets generated with vulnerable 'bx seed' command, with irreversible theft of assets.

🟠

Likely Case

Targeted attackers scanning for vulnerable wallet addresses and draining funds, as demonstrated by the Milk Sad exploitation campaign.

🟢

If Mitigated

No impact if users never used 'bx seed' command or have already migrated funds to secure wallets.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploited in the wild in June-July 2023 (Milk Sad campaign). Attackers can brute-force the limited 32-bit entropy space to recover private keys without any authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.6.0

Vendor Advisory: https://github.com/libbitcoin/libbitcoin-explorer/wiki/CVE-2023-39910

Restart Required: No

Instructions:

1. Update Libbitcoin Explorer to version 3.6.1 or later. 2. Do not use 'bx seed' command for wallet generation. 3. Use secure entropy sources like hardware wallets or properly seeded CSPRNG.

🔧 Temporary Workarounds

Stop using bx seed

all

Immediately cease using the 'bx seed' command for any wallet generation

Use alternative entropy sources

all

Generate wallet seeds using cryptographically secure methods like hardware wallets or OS-provided secure random

🧯 If You Can't Patch

  • Immediately move all funds from wallets generated with 'bx seed' to new wallets created with secure entropy sources
  • Audit all cryptocurrency wallets to identify any generated with vulnerable versions and migrate funds

🔍 How to Verify

Check if Vulnerable:

Check if you ever used 'bx seed' command with Libbitcoin Explorer versions 3.0.0-3.6.0 to generate wallet seeds

Check Version:

bx --version

Verify Fix Applied:

Update to version 3.6.1+ and verify you are using secure entropy sources for wallet generation

📡 Detection & Monitoring

Log Indicators:

  • Unusual 'bx seed' command usage patterns
  • Multiple failed wallet access attempts

Network Indicators:

  • Unexpected cryptocurrency transactions from wallets
  • Connections to known exploit infrastructure

SIEM Query:

Search for process execution of 'bx seed' command or related Libbitcoin Explorer activities

📊 Metadata

CVE ID: CVE-2023-39910
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-338
Published: August 9, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39910, you might also want to check these:

CVE-2020-28642 9.8

CVE-2020-28642 is a critical vulnerability in InfiniteWP Admin Panel that allows remote attackers to...

Same vulnerability type (CWE-338)
CVE-2025-59390 9.8

Apache Druid's Kerberos authenticator uses a weak random fallback secret when cookieSignatureSecret ...

Same vulnerability type (CWE-338)
CVE-2026-2439 9.8

CVE-2026-2439 is a session ID generation vulnerability in Concierge::Sessions for Perl that allows a...

Same vulnerability type (CWE-338)