ghsa-4xc9-8hmq-j652
Vulnerability from github
Published
2024-05-06 14:20
Modified
2024-08-16 18:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
go-ethereum vulnerable to DoS via malicious p2p message
Details

Impact

A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node.

In order to carry out the attack, the attacker establishes a peer connections to the victim, and sends a malicious GetBlockHeadersRequest message with a count of 0, using the ETH protocol.

In descendants := chain.GetHeadersFrom(num+count-1, count-1), the value of count-1 is passed to the function GetHeadersFrom(number, count uint64) as parameter count. Due to integer overflow, UINT64_MAX value is then passed as the count argument to function GetHeadersFrom(number, count uint64). This allows an attacker to bypass maxHeadersServe and request all headers from the latest block back to the genesis block.

Patches

The fix has been included in geth version 1.13.15 and onwards.

The vulnerability was patched in: https://github.com/ethereum/go-ethereum/pull/29534

Workarounds

No workarounds have been made public.

References

No more information is released at this time.

Credit

This issue was disclosed responsibly by DongHan Kim via the Ethereum bug bounty program. Thank you for your cooperation.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ethereum/go-ethereum"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32972"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-06T14:20:40Z",
    "nvd_published_at": "2024-05-06T15:15:23Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node.\n\nIn order to carry out the attack, the attacker establishes a peer connections to the victim, and sends a malicious `GetBlockHeadersRequest` message with a `count` of  `0`, using the `ETH` protocol. \n\nIn `descendants := chain.GetHeadersFrom(num+count-1, count-1)`, the value of `count-1` is passed to the function `GetHeadersFrom(number, count uint64)` as parameter `count`. Due to integer overflow, `UINT64_MAX` value is then passed as the `count` argument to function `GetHeadersFrom(number, count uint64)`. This allows an attacker to bypass `maxHeadersServe` and request all headers from the latest block back to the genesis block. \n\n### Patches\n\nThe fix has been included in geth version `1.13.15` and onwards. \n\nThe vulnerability was patched in: https://github.com/ethereum/go-ethereum/pull/29534\n\n### Workarounds\n\nNo workarounds have been made public. \n\n### References\n\nNo more information is released at this time.\n\n### Credit\n\nThis issue was disclosed responsibly by DongHan Kim via the Ethereum bug bounty program. Thank you for your cooperation. ",
  "id": "GHSA-4xc9-8hmq-j652",
  "modified": "2024-08-16T18:15:47Z",
  "published": "2024-05-06T14:20:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-4xc9-8hmq-j652"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32972"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-4xc9-8hmq-j652"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ethereum/go-ethereum"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethereum/go-ethereum/compare/v1.13.14...v1.13.15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "go-ethereum vulnerable to DoS via malicious p2p message"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.