Ledger Security Bulletin 015

13 January 2021: TX data of unsupported crypto assets are not be displayed by the Ethereum app 1.6.2

Summary

A regression in the version 1.6.2 of the Ethereum app led to the transaction data not being displayed by the app even if the “Contract data debug” option is enabled.

Details

Transactions of crypto assets which are supported by Ledger Live are secured by the device. All the relevant transaction fields are displayed by the Nano apps and validated by the user. This is indeed the threat model of Ledger hardware wallets.

Crypto assets (ERC20 tokens and smart contracts) which are not supported by Ledger Live can be managed by external wallets such as MEW or MyCrypto. Some transaction fields may not be parsed by the app in that case. However, the transaction data can still be displayed in hexadecimal by enabling the Contract data debug option.

The regression prevents this option from being functional, even if enabled.

Impact

An attacker having compromised the alternative user client can trick the user into signing a transaction by the Ethereum app 1.6.2 with a data field not being displayed. It should be highlighted that Ledger Live is not impacted by this regression.

Remediation

The regression is fixed in the Ethereum app from version 1.6.4 (commit f916a85a).

Credits

We would like to thank Tristan Savatier who discovered the regression and reported it through our bug bounty program.