CVE-2021-44033

Vulnerability

In Ionic Identity Vault prior to version 5.0.5, the protection mechanism that limits invalid unlock attempts (typically triggering a lockout after a threshold of failed PIN entries) can be bypassed. The vulnerability resides in the vault unlock logic and is reachable when the vault is configured to use PIN-based authentication. Affected versions: all versions before 5.0.5.

Exploitation

An attacker with physical access to the device or the ability to run a malicious application on the same device (i.e., local access) can exploit this flaw. The attacker repeatedly submits invalid PINs or biometric unlocks; due to the bypass, the lockout counter is not properly incremented or enforced, allowing an arbitrary number of attempts. No authentication is needed to start the attack because the attacker can simply attempt to unlock the vault repeatedly.

Impact

Successful exploitation enables an attacker to perform unlimited brute-force attacks against the vault's PIN or passcode. This can lead to unauthorized access to all secrets stored in the vault (credentials, tokens, keys), resulting in a complete compromise of the vault's data confidentiality and integrity.

Mitigation

Upgrade to Ionic Identity Vault version 5.0.5 or later, which fixes the bypass [1]. As of the advisory, no workaround is available for unpatched versions [1]. Users on unsupported or older versions should upgrade immediately to prevent exploitation.