-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
18cc004
commit 28fde4c
Showing
2 changed files
with
53 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| --- | ||
| layout: page | ||
| title: Ledger Security Bulletin 019 | ||
| summary: Invalid addresses for certain miniscript policies | ||
| --- | ||
|
|
||
| 11 May 2023: Invalid addresses for certain miniscript policies | ||
|
|
||
| ## Summary | ||
|
|
||
| Miniscript is a language to define possibly complex spending conditions for bitcoin wallets. | ||
|
|
||
| The Ledger bitcoin app supports miniscript policies since version 2.1.0, deployed in February 2023. | ||
|
|
||
| Versions 2.1.0 and 2.1.1 of the app incorrectly handle the `a:` fragment, causing the app to produce wrong addresses. | ||
|
|
||
| In theory this is critical as the device is usually trusted to display the right address. In practice, the impact is limited, as there is no currently deployed wallet software with a full integration with such policies. | ||
|
|
||
| Any other wallet not using miniscript, or any miniscript policy not containing the `a:` fragment, is not affected. | ||
|
|
||
| Users who encounter issues related to spending Bitcoins can reach out [Ledger Support](https://support.ledger.com/hc/en-us/articles/4423020306705-Contact-Us?support=true). | ||
|
|
||
| ## Description | ||
|
|
||
| The `a:` fragment was incorrectly implemented in the Ledger bitcoin app. | ||
|
|
||
| Read more in the [detailed report by Antoine Poinsot](https://wizardsardine.com/blog/ledger-vulnerability-disclosure/) showing how the vulnerability could be exploited. | ||
|
|
||
| ## Mitigations | ||
|
|
||
| The 2.1.2 version of the app fixed the handling of the `a:` fragment. Users making use of miniscript policies are strongly recommended to upgrade. | ||
|
|
||
| As a further mitigation, all the three client libraries have been updated to reject miniscript policies containing the `a:` fragment on the affected versions of the Ledger bitcoin app; this reduces the risk of incorrectly implemented software wallets using the wrong receiving addresses: | ||
|
|
||
| - [ledger-bitcoin](https://pypi.org/project/ledger-bitcoin/) Python client on Pypi, version `0.2.1`. | ||
| - [ledger-bitcoin](https://www.npmjs.com/package/ledger-bitcoin) JavaScript client on npm, version `0.2.1`. | ||
| - [ledger_bitcoin_client](https://crates.io/crates/ledger_bitcoin_client) Rust crate on crates.io, version `0.1.3`. | ||
|
|
||
| ## Recommendations for software wallets | ||
|
|
||
| Generally, it is strongly recommended that software wallets fully implement the address verification flow on the device screen, This allows the user to inspect the address. Absent that, users are inherently more vulnerable to malware installed on the user's machine that might (for example) replace the receiving address. | ||
|
|
||
| Moreover, software wallets would typically be able to generate the addresses independently (for example, in order to scan for incoming transactions). Therefore, it is recommended that once the user approves an address (prior to receiving funds), the software wallet compares the address it expects with the one returned by the hardware wallet. This is in line with the principles of [_defense in depth_](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)), where seemingly redundant security checks do in fact increase the overall security when unexpected situations do occur, like a hardware bug. | ||
|
|
||
| In a software wallet implementing these recommendations, the impact of this vulnerability is indeed smaller, as exploitation of the bug against a user would require that either: | ||
|
|
||
| - the software wallet contains malware specifically targeting the vulnerability; | ||
| - the user skips the address verification step when receiving funds, which goes against the recommended security practices. | ||
|
|
||
| ## Credits | ||
|
|
||
| We would like to thank Kevin Loaec and Antoine Poinsot, who discovered the vulnerability and disclosed it through our bug bounty program. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters