From 28fde4cbd56c8fc12bfc1042509bf68568b258af Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Thu, 11 May 2023 17:32:20 +0200 Subject: [PATCH] LSB 019 --- _lsb/019.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ lsb.md | 1 + 2 files changed, 53 insertions(+) create mode 100644 _lsb/019.md diff --git a/_lsb/019.md b/_lsb/019.md new file mode 100644 index 0000000..6f43644 --- /dev/null +++ b/_lsb/019.md @@ -0,0 +1,52 @@ +--- +layout: page +title: Ledger Security Bulletin 019 +summary: Invalid addresses for certain miniscript policies +--- + +11 May 2023: Invalid addresses for certain miniscript policies + +## Summary + +Miniscript is a language to define possibly complex spending conditions for bitcoin wallets. + +The Ledger bitcoin app supports miniscript policies since version 2.1.0, deployed in February 2023. + +Versions 2.1.0 and 2.1.1 of the app incorrectly handle the `a:` fragment, causing the app to produce wrong addresses. + +In theory this is critical as the device is usually trusted to display the right address. In practice, the impact is limited, as there is no currently deployed wallet software with a full integration with such policies. + +Any other wallet not using miniscript, or any miniscript policy not containing the `a:` fragment, is not affected. + +Users who encounter issues related to spending Bitcoins can reach out [Ledger Support](https://support.ledger.com/hc/en-us/articles/4423020306705-Contact-Us?support=true). + +## Description + +The `a:` fragment was incorrectly implemented in the Ledger bitcoin app. + +Read more in the [detailed report by Antoine Poinsot](https://wizardsardine.com/blog/ledger-vulnerability-disclosure/) showing how the vulnerability could be exploited. + +## Mitigations + +The 2.1.2 version of the app fixed the handling of the `a:` fragment. Users making use of miniscript policies are strongly recommended to upgrade. + +As a further mitigation, all the three client libraries have been updated to reject miniscript policies containing the `a:` fragment on the affected versions of the Ledger bitcoin app; this reduces the risk of incorrectly implemented software wallets using the wrong receiving addresses: + +- [ledger-bitcoin](https://pypi.org/project/ledger-bitcoin/) Python client on Pypi, version `0.2.1`. +- [ledger-bitcoin](https://www.npmjs.com/package/ledger-bitcoin) JavaScript client on npm, version `0.2.1`. +- [ledger_bitcoin_client](https://crates.io/crates/ledger_bitcoin_client) Rust crate on crates.io, version `0.1.3`. + +## Recommendations for software wallets + +Generally, it is strongly recommended that software wallets fully implement the address verification flow on the device screen, This allows the user to inspect the address. Absent that, users are inherently more vulnerable to malware installed on the user's machine that might (for example) replace the receiving address. + +Moreover, software wallets would typically be able to generate the addresses independently (for example, in order to scan for incoming transactions). Therefore, it is recommended that once the user approves an address (prior to receiving funds), the software wallet compares the address it expects with the one returned by the hardware wallet. This is in line with the principles of [_defense in depth_](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)), where seemingly redundant security checks do in fact increase the overall security when unexpected situations do occur, like a hardware bug. + +In a software wallet implementing these recommendations, the impact of this vulnerability is indeed smaller, as exploitation of the bug against a user would require that either: + +- the software wallet contains malware specifically targeting the vulnerability; +- the user skips the address verification step when receiving funds, which goes against the recommended security practices. + +## Credits + +We would like to thank Kevin Loaec and Antoine Poinsot, who discovered the vulnerability and disclosed it through our bug bounty program. diff --git a/lsb.md b/lsb.md index 71fa3fe..971a9df 100644 --- a/lsb.md +++ b/lsb.md @@ -13,6 +13,7 @@ through the [bug bounty program](/bounty/). | Date | Title | |------------|-----------------------------------------------------------------| +| 2023-05-11 | [LSB 019: Invalid addresses for certain miniscript policies](019) | | 2022-08-05 | [LSB 018: Invalid command processing on HSM firmware](018) | | 2022-07-04 | [LSB 017: Keycard bypass on Ledger HW.1](017) | | 2021-05-17 | [LSB 016: Length-extension attack on SCP](016) |