GHSA-5873-6FWQ-463F

Vulnerability from github – Published: 2023-10-25 14:09 – Updated: 2023-10-25 14:09
VLAI?
Summary
stellar-strkey vulnerable to panic in SignedPayload::from_payload
Details

Impact

Panic vulnerability when a specially crafted payload is used. This is because of the following calculation:

inner_payload_len + (4 - inner_payload_len % 4) % 4

If inner_payload_len is 0xffffffff, (4 - inner_payload_len % 4) % 4 = 1 so

inner_payload_len + (4 - inner_payload_len % 4) % 4 = u32::MAX + 1

which overflow.

Patches

Check that inner_payload_len is not above 64 which should never be the case. Patched in version 0.0.8

Workarounds

Sanitize input payload before it is passed to the vulnerable function so that bytes in payload[32..32+4] and parsed as a u32 is not above 64.

References

GitHub issue #58

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "stellar-strkey"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-25T14:09:10Z",
    "nvd_published_at": "2023-10-25T18:17:36Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nPanic vulnerability when a specially crafted payload is used. \nThis is because of the following calculation:\n```rust\ninner_payload_len + (4 - inner_payload_len % 4) % 4\n```\nIf `inner_payload_len` is `0xffffffff`, `(4 - inner_payload_len % 4) % 4 = 1` so\n```rust\ninner_payload_len + (4 - inner_payload_len % 4) % 4 = u32::MAX + 1\n```\nwhich overflow.\n\n### Patches\nCheck that `inner_payload_len` is not above 64 which should never be the case.\nPatched in version 0.0.8\n\n### Workarounds\nSanitize input payload before it is passed to the vulnerable function so that bytes in `payload[32..32+4]` and parsed as a `u32` is not above 64.\n\n### References\nGitHub issue #58\n",
  "id": "GHSA-5873-6fwq-463f",
  "modified": "2023-10-25T14:09:10Z",
  "published": "2023-10-25T14:09:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-strkey/security/advisories/GHSA-5873-6fwq-463f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46135"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-strkey/issues/58"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-strkey/pull/59"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-strkey/commit/83adad0f5b1cda693c7ba8524d395add8077865f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stellar/rs-stellar-strkey"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-strkey/releases/tag/v0.0.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "stellar-strkey vulnerable to panic in SignedPayload::from_payload"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.