Skip to content

Release v7.3.2 / Bootloader v2.1.4

Compare
Choose a tag to compare
@mrnerdhair mrnerdhair released this 26 Apr 20:32

New Features

  • Cosmos staking and delegation messages are now supported. (6aa5cd9)

  • Cosmos IBC transfers are now supported. (6aa5cd9)

  • The duration of the auto-lock timeout is now reported as part of the Features message. (93afdd1)

Bug Fixes / Other Changes

  • The WebUSB descriptors have been updated to refer to app.shapeshift.com rather than beta.shapeshift.com. (ed2604f)

  • The mechanism the bootloader updater uses to put the bootloader back into firmware update mode has been made more reliable during updates from a 2.x-series bootloader to another 2.x-series bootloader. (18da57f)

Security Improvements

  • Several improper bounds checks existed in the bootloader's flash write and erase handlers. While effective in normal operation against accidental errors, they could have been bypassed by malicious or compromised firmware. These issues been addressed by improving the bounds checks. (447c1f0)

    Any attacker who could take advantage of these issues would first have to have exploited a separate vulnerability severe enough on its own to allow theft of your seed phrase, had physical access to your device, or convince you to load malicious unofficial firmware and ignore the associated warnings. Such an attacker, however, could exploit these issues to implant malware in the bootloader which could survive even a complete device wipe and firmware reset.

    These bounds-check vulnerabilities were responsibly disclosed to us by Christian Reitter in a comprehensive and professional report, and MITRE has assigned it CVE-2022-30330. We have no evidence that it has been exploited in the wild. Still, this issue is serious, and we recommend that all users update their bootloader and firmware.

  • The U2F login and registration flow required that the button be held down, but not that it be pressed during the confirmation process. This meant that under particular circumstances an attacker could potentially confuse a user into confirming a U2F login or registration when they intended to confirm a different action, like a transaction, instead. This issue has been addressed by improved the handling of button state in the U2F confirmation flow. (da8b101)

    This issue was responsibly disclosed to us by Christian Reitter. We have no evidence that it has been exploited in the wild. Still, we recommend that users who use KeepKey as a U2F authenticator update their firmware.

  • The MPU was not active while executing interrupt handler code. The bootloader now opts-in to MPU protection for interrupt handlers as a defense-in-depth measure. (f8fd1fb)

    Thanks to Christian Reitter for suggesting this improvement.

Notes

  • Version numbers sometimes get skipped so that they don't overlap with the numbering of internal release-candidate test builds. In this case, firmware versions 7.3.0 and 7.3.1 and bootloader versions 2.1.0, 2.1.1, 2.1.2, and 2.1.3 were used for internal builds and skipped for the production release.