CVE-2019-14354

Summary

CVE	CVE-2019-14354
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-08-10 16:15:00 UTC
Updated	2021-07-21 11:39:00 UTC
Description	On Ledger Nano S and Nano X devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data.

Risk And Classification

Problem Types: CWE-203

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Ledger	Nano S	-	All	All	All
Hardware	Ledger	Nano S	-	All	All	All
Operating System	Ledger	Nano S Firmware	-	All	All	All
Operating System	Ledger	Nano S Firmware	-	All	All	All
Hardware	Ledger	Nano X	-	All	All	All
Hardware	Ledger	Nano X	-	All	All	All
Operating System	Ledger	Nano X Firmware	-	All	All	All
Operating System	Ledger	Nano X Firmware	-	All	All	All

References

Reference	Source	Link	Tags
OLED screen (minor) vulnerability \| Donjon	MISC	ledger-donjon.github.io	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.