#VU84436 Embedded malicious code (backdoor) in connect-kit

Cybersecurity Help s.r.o.

Published: 2023-12-14

Vulnerability identifier: #VU84436

Vulnerability risk: High

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: N/A

CWE-ID: CWE-506

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
connect-kit
Web applications / JS libraries

Vendor: Ledger SAS

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to drain crypto assets from users' wallets.

Note, the vulnerability is being actively exploited in the wild.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

connect-kit: 1.1.5 - 1.1.7

External links
https://twitter.com/Ledger/status/1735298142118072512
https://twitter.com/MetaMask/status/1735291650614653364?s=20
https://twitter.com/blockaid_/status/1735275569586090221
https://twitter.com/Ledger/status/1735291427100455293

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Embedded malicious code in Ledger Connect Kit