GHSA-VJ62-G63V-F8MF

Vulnerability from github – Published: 2021-10-13 18:53 – Updated: 2024-10-24 21:53
VLAI?
Summary
Validity check missing in Frontier
Details

Impact

In the newly introduced signed Frontier-specific extrinsic for pallet-ethereum, a large part of transaction validation logic was only called in transaction pool validation, but not in block execution. Malicious validators can take advantage of this to put invalid transactions into a block.

The attack is limited in that the signature is always validated, and the majority of the validation is done again in the subsequent pallet-evm execution logic. However, do note that a chain ID replay attack was possible. In addition, spamming attacks are of main concerns, while they are limited by Substrate block size limits and other factors.

Patches

The issue is patched in commit 146bb48849e5393004be5c88beefe76fdf009aba.

References

Patch PR: https://github.com/paritytech/frontier/pull/495

For more information

If you have any questions or comments about this advisory: * Open an issue in Frontier repo

Special thanks

Special thanks to @librelois, @nanocryk and the Moonbeam team for reporting and fixing this security vulnerability.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "pallet-ethereum"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-13T17:34:31Z",
    "nvd_published_at": "2021-10-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIn the newly introduced signed Frontier-specific extrinsic for `pallet-ethereum`, a large part of transaction validation logic was only called in transaction pool validation, but not in block execution. Malicious validators can take advantage of this to put invalid transactions into a block.\n\nThe attack is limited in that the signature is always validated, and the majority of the validation is done again in the subsequent `pallet-evm` execution logic. However, do note that a chain ID replay attack was possible. In addition, spamming attacks are of main concerns, while they are limited by Substrate block size limits and other factors.\n\n### Patches\n\nThe issue is patched in commit 146bb48849e5393004be5c88beefe76fdf009aba.\n\n### References\n\nPatch PR: https://github.com/paritytech/frontier/pull/495\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Frontier repo](https://github.com/paritytech/frontier/issues)\n\n### Special thanks\n\nSpecial thanks to @librelois, @nanocryk and the Moonbeam team for reporting and fixing this security vulnerability.",
  "id": "GHSA-vj62-g63v-f8mf",
  "modified": "2024-10-24T21:53:15Z",
  "published": "2021-10-13T18:53:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/paritytech/frontier/security/advisories/GHSA-vj62-g63v-f8mf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41138"
    },
    {
      "type": "WEB",
      "url": "https://github.com/paritytech/frontier/pull/495"
    },
    {
      "type": "WEB",
      "url": "https://github.com/paritytech/frontier/pull/497"
    },
    {
      "type": "WEB",
      "url": "https://github.com/paritytech/frontier/commit/146bb48849e5393004be5c88beefe76fdf009aba"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/polkadot-evm/frontier"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Validity check missing in Frontier"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.