CVE-2020-14199

Published: Jun 16, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

BIP-143 in the Bitcoin protocol specification mishandles the signing of a Segwit transaction, which allows attackers to trick a user into making two signatures in certain cases, potentially leading to a huge transaction fee. NOTE: this affects all hardware wallets. It was fixed in 1.9.1 for the Trezor One and 2.3.1 for the Trezor Model T.

Affected (2)

Products: Satoshilabs: Trezor Model T Firmware, Trezor One Firmware

2 products

Trezor Model T Firmware

Trezor One Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Satoshilabs Trezor Model T Firmware	Before 2.3.1

Running on/with	Platform Versions
Satoshilabs Trezor Model T	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Satoshilabs Trezor One Firmware	Before 1.9.1

Running on/with	Platform Versions
Satoshilabs Trezor One	All versions

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (2)

https://blog.trezor.io/details-of-firmware-updates-for-trezor-one-version-1-9-1-and-trezor-model-t-version-2-3-1-1eba8f60f2dd

Source: cve@mitre.org

Third Party Advisory

https://blog.trezor.io/details-of-firmware-updates-for-trezor-one-version-1-9-1-and-trezor-model-t-version-2-3-1-1eba8f60f2dd

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.