ghsa-p7mv-53f2-4cwj
Vulnerability from github
Published
2024-11-06 15:33
Modified
2024-11-20 19:31
Severity ?
8.3 (High) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
CometBFT Vote Extensions: Panic when receiving a Pre-commit with an invalid data
Details

Name: ASA-2024-011: Vote Extensions: Panic when receiving a Pre-commit with an invalid data Component: CometBFT Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2) Affected versions: >= 0.38.x, unreleased v1.x and main development branches Affected users: Chain Builders + Maintainers, Validators

Impact

A CometBFT node running in a network with vote extensions enabled could produce an invalid Vote message and send it to its peers. The invalid field of the Vote message is the ValidatorIndex, which identifies the sender in the ValidatorSet running that height of consensus. This field is ordinarily verified in the processing of Vote messages, but it turns out that in the case of a Vote message of type Precommit and for a non-nil BlockID, a logic was introduced before this ordinary verification to handle the attached vote extension. This introduced logic (not present in releases prior to 0.38.x) does not double-check the validity of the ValidatorIndex field. The result is a panic in the execution of the node receiving and processing such message.

Impact Qualification

This condition requires the introduction of malicious code in the full node sending this Vote message to its peers. Namely, nodes running upstream code cannot produce invalid Vote messages, with non-existing ValidatorIndex. Moreover, networks utilizing default behavior, where vote extensions are not enabled, are not affected by this issue.

Patches

The new CometBFT release v0.38.15 fixes this issue.

Unreleased code in the main and v1.x branches, and experimental code in the v0.38-experimental and v1.x-experimental branches are patched as well.

Workarounds

When the consensus code panics after receiving an invalid Vote message, the operator can identify the peer from which that message was received. This may require increasing the logging level of the consensus module. This peer can then be subsequently banned at the p2p layer as a temporary mitigation.

References

Timeline

  • October 21, 2024, 3:26pm PST: Issue reported to the Cosmos Bug Bounty program
  • October 21, 2024, 3:41pm PST: Issue triaged by Amulet on-call, and distributed to Core team
  • October 29, 2024, 11:35pm PST: Core team completes validation of issue
  • October 30, 2024, 3:33am PST: Core team completes patch for issue
  • October 30, 2024, 5:09am PST: Amulet creates coordination plan; schedule for distribution
  • November 4, 2024, 8:00pm GMT: Pre-notification delivered
  • November 6, 2024, 8:00am GMT: Patch made available

This issue was reported by corverroos to the Cosmos Bug Bounty Program on HackerOne on October 21, 2024. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at security@interchain.io. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cometbft/cometbft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.38.0"
            },
            {
              "fixed": "0.38.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-129"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-06T15:33:55Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Name: ASA-2024-011: Vote Extensions: Panic when receiving a Pre-commit with an invalid data\nComponent: CometBFT\nCriticality: High (Considerable Impact, and Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: `\u003e= 0.38.x`, unreleased `v1.x` and `main` development branches\nAffected users: Chain Builders + Maintainers, Validators\n\n### Impact\n\nA CometBFT node running in a network with [vote extensions][abci-spec] enabled could produce an invalid `Vote` message and send it to its peers. The invalid field of the `Vote` message is the `ValidatorIndex`, which identifies the sender in the `ValidatorSet` running that height of consensus. This field is ordinarily verified in the processing of `Vote` messages, but it turns out that in the case of a `Vote` message of type `Precommit` and for a non-`nil` `BlockID`, [a logic was introduced](https://github.com/cometbft/cometbft/blame/46621a87064b2ae235e122e66d9b22417b3aa35e/internal/consensus/state.go#L2357-L2364) before this ordinary verification to handle the attached vote extension. This introduced logic (not present in releases prior to `0.38.x`) does not double-check the validity of the `ValidatorIndex` field. The result is a panic in the execution of the node receiving and processing such message.\n\n#### Impact Qualification\nThis condition requires the introduction of malicious code in the full node sending this `Vote` message to its peers. Namely, nodes running upstream code cannot produce invalid `Vote` messages, with non-existing `ValidatorIndex`. Moreover, networks utilizing default behavior, where vote extensions are not enabled, are not affected by this issue.\n\n### Patches\n\nThe new CometBFT release [`v0.38.15`][v0.38.15] fixes this issue.\n\nUnreleased code in the `main` and `v1.x` branches, and experimental code in the `v0.38-experimental` and `v1.x-experimental` branches are patched as well.\n\n### Workarounds\n\nWhen the consensus code panics after receiving an invalid `Vote` message, the operator can identify the peer from which that message was received. This may require increasing the logging level of the `consensus` module. This peer can then be subsequently banned at the p2p layer as a temporary mitigation.  \n\n### References\n\n- [ABCI spec][abci-spec], in particular the operation of vote extensions\n- [Patched v0.38 release][v0.38.15]\n\n[abci-spec]: https://docs.cometbft.com/v0.38/spec/abci/abci++_basic_concepts\n[v0.38.15]: https://github.com/cometbft/cometbft/releases/tag/v0.38.15\n\n### Timeline\n\n* October 21, 2024, 3:26pm PST: Issue reported to the Cosmos Bug Bounty program\n* October 21, 2024, 3:41pm PST: Issue triaged by Amulet on-call, and distributed to Core team\n* October 29, 2024, 11:35pm PST: Core team completes validation of issue\n* October 30, 2024, 3:33am PST: Core team completes patch for issue\n* October 30, 2024, 5:09am PST: Amulet creates coordination plan; schedule for distribution\n* November 4, 2024, 8:00pm GMT: Pre-notification delivered\n* November 6, 2024, 8:00am GMT: Patch made available\n\n\nThis issue was reported by [corverroos](https://github.com/corverroos) to the Cosmos Bug Bounty Program on HackerOne on October 21, 2024. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io).  For more information about the Interchain Foundation\u2019s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.  \n\nA Github Security Advisory for this issue is available in the CometBFT [repository](https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj). For more information about CometBFT, see https://docs.cometbft.com/.",
  "id": "GHSA-p7mv-53f2-4cwj",
  "modified": "2024-11-20T19:31:30Z",
  "published": "2024-11-06T15:33:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj"
    },
    {
      "type": "WEB",
      "url": "https://docs.cometbft.com/v0.38/spec/abci/abci++_basic_concepts"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cometbft/cometbft"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cometbft/cometbft/releases/tag/v0.38.15"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3259"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CometBFT Vote Extensions: Panic when receiving a Pre-commit with an invalid data"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.