GHSA-JVGW-GCCV-Q5P8
Vulnerability from github – Published: 2022-12-07 20:28 – Updated: 2023-07-14 21:53Impact
An attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network.
Details
In the original version of the attack, the malicious node would continuously open new streams on a single connection using a stream multiplexer that doesn’t provide sufficient back pressure (mplex or yamux). While allocations per stream might be considered small, they multiply with the number of streams and connections. It is easy to defend against this one attack, e.g. by setting a strict per connection stream limit and connection limit. But there are other variations of this attack, e.g. causing memory allocations by sending partial payloads on various protocol levels, forcing the victim to buffer the partial payload for a period of time or by tricking the victim into pre-allocating buffers for messages which are never sent by the attacker.
Patches
Users are advised to upgrade to libp2p v0.45.1 or above.
References
Please see our DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.
Please see the related disclosure for go-libp2p: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw and js-libp2p: https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv
For more information
If you have any questions or comments about this advisory, please email us at security@libp2p.io.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.45.0"
},
"package": {
"ecosystem": "crates.io",
"name": "libp2p"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.45.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23486"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-07T20:28:46Z",
"nvd_published_at": "2022-12-07T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAn attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim\u2019s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network.\n\n### Details\n\nIn the original version of the attack, the malicious node would continuously open new streams on a single connection using a stream multiplexer that doesn\u2019t provide sufficient back pressure (mplex or yamux). While allocations per stream might be considered small, they multiply with the number of streams and connections. It is easy to defend against this one attack, e.g. by setting a strict per connection stream limit and connection limit. But there are other variations of this attack, e.g. causing memory allocations by sending partial payloads on various protocol levels, forcing the victim to buffer the partial payload for a period of time or by tricking the victim into pre-allocating buffers for messages which are never sent by the attacker.\n\n### Patches\n\nUsers are advised to upgrade to `libp2p` `v0.45.1` or above.\n\n### References\nPlease see our DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.\n\nPlease see the related disclosure for go-libp2p: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw and js-libp2p: https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv\n\n### For more information\nIf you have any questions or comments about this advisory, please email us at security@libp2p.io.\n",
"id": "GHSA-jvgw-gccv-q5p8",
"modified": "2023-07-14T21:53:44Z",
"published": "2022-12-07T20:28:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw"
},
{
"type": "WEB",
"url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
},
{
"type": "WEB",
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23486"
},
{
"type": "PACKAGE",
"url": "https://github.com/libp2p/rust-libp2p"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0084.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "libp2p DoS vulnerability from lack of resource management"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.