GHSA-VG44-FW64-CPJX
Vulnerability from github – Published: 2020-03-24 15:08 – Updated: 2021-08-23 14:40Impact
Anybody using this library to sign with a BIP44 account other than the first account may be affected. If a user is signing with the first account (i.e. the account at index 0), or with the legacy MEW/MyCrypto HD path, they are not affected.
The vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has already added the account in a previous session (i.e. they added the account, reset the application, then signed something). The serialization/deserialization process does restore a previously added account, but it doesn't restore the index instructing the keyring to use that account for signing. As a result, after serializing then deserializing the keyring state, the account at index 0 is always used for signing even if it isn't the current account.
Patches
This has been patched (#14) in version >=0.2.1 of eth-ledger-bridge-keyring, and in version >=0.2.2 of @metamask/eth-ledger-bridge-keyring. Users are encouraged to migrate to the new package name.
Workarounds
To work around this problem without updating, you should remove then re-add the account before use. As long as the account was added during the lifetime of that process, signing with that account should work correctly.
For more information
If you have any questions or comments about this advisory:
- Open an issue in MetaMask/eth-ledger-bridge-keyring on GitHub
- Email the MetaMask team at hello@metamask.io
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "eth-ledger-bridge-keyring"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@metamask/eth-ledger-bridge-keyring"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2020-03-23T23:11:03Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nAnybody using this library to sign with a BIP44 account other than the first account may be affected. If a user is signing with the first account (i.e. the account at index `0`), or with the legacy MEW/MyCrypto HD path, they are not affected.\n\nThe vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has already added the account in a previous session (i.e. they added the account, reset the application, then signed something). The serialization/deserialization process does restore a previously added account, but it doesn\u0026#39;t restore the index instructing the keyring to use that account for signing. As a result, after serializing then deserializing the keyring state, the account at index `0` is always used for signing even if it isn\u0026#39;t the current account.\n\n### Patches\n\nThis has been patched ([#14](https://github.com/MetaMask/eth-ledger-bridge-keyring/pull/14)) in version \u0026gt;=0.2.1 of [`eth-ledger-bridge-keyring`](https://www.npmjs.com/package/eth-ledger-bridge-keyring), and in version \u0026gt;=0.2.2 of [`@metamask/eth-ledger-bridge-keyring`](https://www.npmjs.com/package/@metamask/eth-ledger-bridge-keyring). Users are encouraged to migrate to the new package name.\n\n### Workarounds\n\nTo work around this problem without updating, you should remove then re-add the account before use. As long as the account was added during the lifetime of that process, signing with that account should work correctly.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [MetaMask/eth-ledger-bridge-keyring on GitHub](https://github.com/MetaMask/eth-ledger-bridge-keyring)\n* Email the MetaMask team at [hello@metamask.io](mailto:hello@metamask.io)",
"id": "GHSA-vg44-fw64-cpjx",
"modified": "2021-08-23T14:40:05Z",
"published": "2020-03-24T15:08:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MetaMask/eth-ledger-bridge-keyring/security/advisories/GHSA-vg44-fw64-cpjx"
},
{
"type": "WEB",
"url": "https://github.com/MetaMask/eth-ledger-bridge-keyring/pull/14"
},
{
"type": "WEB",
"url": "https://github.com/MetaMask/eth-ledger-bridge-keyring/commit/f32e529d13a53e55f558d903534d631846dc26ce"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-vg44-fw64-cpjx"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-ETHLEDGERBRIDGEKEYRING-561121"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1497"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1498"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Incorrect Account Used for Signing"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.