Lucene search

MitreCVE-2024-23660

HistoryFeb 08, 2024 - 8:15 p.m.

CVE-2024-23660

2024-02-0820:15:52

CWE-338

mitre

web.nvd.nist.gov

binance trust wallet

ios

commit

git tag

trezor-crypto library

economic losses

mnemonic words

entropy source

vulnerability

cve-2024-23660

nvd

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

17.8%

JSON

The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 misuses the trezor-crypto library and consequently generates mnemonic words for which the device time is the only entropy source, leading to economic losses, as exploited in the wild in July 2023. An attacker can systematically generate mnemonics for each timestamp within an applicable timeframe, and link them to specific wallet addresses in order to steal funds from those wallets.

Affected configurations

Nvd

Node

binancetrust_walletMatch0.0.4iphone_os

VendorProductVersionCPE
binancetrust_wallet0.0.4cpe:2.3:a:binance:trust_wallet:0.0.4:*:*:*:*:iphone_os:*:*

Vendor	Product	Version	CPE
binance	trust_wallet	0.0.4	cpe:2.3:a:binance:trust_wallet:0.0.4:::::iphone_os::

References

milksad.info/posts/research-update-5/

secbit.io/blog/en/2024/01/19/trust-wallets-fomo3d-summer-vuln/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

17.8%

JSON

Related for CVE-2024-23660