CVE-2020-6861
Published May 6, 2020
·Updated
A flawed protocol design in the Ledger Monero app before 1.5.1 for Ledger Nano and Ledger S devices allows a local attacker to extract the master spending key by sending crafted messages to this app selected on a PIN-entered Ledger connected to a host PC.
Affected Software
3 affected components
Ledger Monero<1.5.1
Ledger Nano S
Ledger Nano X
Event History
May 6, 2020
CVE Published
via MITRE·01:15 PM
Data Sourced
via MITRE·01:15 PM
Description
Frequently Asked Questions
1
What is the severity of CVE-2020-6861?
CVE-2020-6861 has a high severity rating due to its potential to expose the master spending key to local attackers.
2
How do I fix CVE-2020-6861?
To fix CVE-2020-6861, update to the Ledger Monero app version 1.5.1 or later.
3
Who is affected by CVE-2020-6861?
Users of the Ledger Monero app prior to version 1.5.1 are affected by CVE-2020-6861.
4
What type of attack does CVE-2020-6861 enable?
CVE-2020-6861 enables local attackers to extract the master spending key through crafted messages.
5
How can I determine if I'm at risk from CVE-2020-6861?
If you are using the Ledger Monero app version older than 1.5.1, you are at risk from CVE-2020-6861.