Main Vulnerability Database SB2023081144

SB2023081144 - Information disclosure in ZenGo X Gotham city

Published: August 11, 2023 Updated: April 9, 2024

Security Bulletin ID SB2023081144

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cryptographic issues (CVE-ID: CVE-2023-33242)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in Lindell17 TSS protocol implementation in crypto wallets. A remote attacker can extract the full ECDSA private key by exfiltrating a single bit in every signature attempt (256 in total).

Remediation

Install update from vendor's website.

References

https://www.fireblocks.com/blog/lindell17-abort-vulnerability-technical-report/
https://github.com/fireblocks-labs/zengo-lindell17-exploit-poc
https://eprint.iacr.org/2017/552.pdf
https://github.com/fireblocks-labs/mpc-ecdsa-attacks-23