Flawed Protocol Design in Ledger Monero App for Ledger Nano and Ledger S
CVE-2020-6861

5.5MEDIUM

Key Information:

Vendor: Ledger
Status: Monero
Vendor: CVE Published:; 6 May 2020

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2020-6861?

The Ledger Monero app prior to version 1.5.1 exhibits a vulnerability stemming from a flawed protocol design that could be exploited by a local attacker. By sending specifically crafted messages to the app, which must be selected on a Ledger device that is connected to a host PC and secured with a PIN, an attacker may extract the master spending key. This issue highlights the importance of robust protocol designs to safeguard sensitive cryptocurrency keys against unauthorized access.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

ledger-app-monero-1.42-vuln
Created by ph4r05

References

https://donjon.ledger.com/lsb/008/

x_refsource_CONFIRM

https://deadcode.me/blog/2020/04/25/Ledger-Monero-app-spe...

x_refsource_MISC

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2020
Vulnerability Reserved
Jan 13, 2020
🟡
Public PoC available
Jan 3, 2020
👾
Exploit known to exist
Jan 3, 2020

CVE-2020-6861 Data

JSON