Tendermint up to 0.31.11/0.32.9/0.33.2 P2P Connection Connection Request memory allocation
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
3.0 | $0-$5k | 0.00 |
A vulnerability, which was classified as problematic, was found in Tendermint up to 0.31.11/0.32.9/0.33.2. Affected is an unknown function of the component P2P Connection Handler. The manipulation as part of a Connection Request leads to a memory allocation vulnerability. CWE is classifying the issue as CWE-789. The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. This is going to have an impact on availability. CVE summarizes:
Tendermint before versions 0.33.3, 0.32.10, and 0.31.12 has a denial-of-service vulnerability. Tendermint does not limit the number of P2P connection requests. For each p2p connection, it allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions. Additionally, Tendermint does not reclaim `activeID` of a peer after it's removed in Mempool reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the Peer is created and added to all reactors. RemovePeer is therefore called before `AddPeer`, which leads to always growing memory (`activeIDs` map). The activeIDs map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting above denial of service), which ultimately will lead to the node panicking. These issues are patched in Tendermint 0.33.3 and 0.32.10. ### For more information If you have any questions or comments about this advisory: * Open an issue in tendermint/tendermint * Email us at [security@tendermint.com](mailto:security@tendermint.com) More information can be found here. ### Credits - Ethan Buchman (@ebuchman) for writing a test case for Denial of Service 2 and Tess Rinearson (@tessr) for fixing it - Anton Kaliaev (@melekes) for fixing Denial of Service 1
The weakness was presented 04/10/2020 (GitHub Repository). The advisory is shared for download at github.com. This vulnerability is traded as CVE-2020-5303 since 01/02/2020. The exploitability is told to be difficult. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.
Upgrading to version 0.31.12, 0.32.10 or 0.33.3 eliminates this vulnerability.
See VDB-124606 and VDB-159963 for similar entries.
Product
Name
Version
- 0.31.0
- 0.31.1
- 0.31.2
- 0.31.3
- 0.31.4
- 0.31.5
- 0.31.6
- 0.31.7
- 0.31.8
- 0.31.9
- 0.31.10
- 0.31.11
- 0.32.0
- 0.32.1
- 0.32.2
- 0.32.3
- 0.32.4
- 0.32.5
- 0.32.6
- 0.32.7
- 0.32.8
- 0.32.9
- 0.33.0
- 0.33.1
- 0.33.2
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 3.1VulDB Meta Temp Score: 3.0
VulDB Base Score: 3.1
VulDB Temp Score: 2.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 3.1
NVD Vector: 🔍
CNA Base Score: 3.1
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Memory allocationCWE: CWE-789 / CWE-400 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Tendermint 0.31.12/0.32.10/0.33.3
Patch: github.com
Timeline
01/02/2020 🔍04/10/2020 🔍
04/12/2020 🔍
05/18/2024 🔍
Sources
Advisory: e2d6859afd7dba4cf97c7f7d412e7d8fc908d1cdStatus: Not defined
Confirmation: 🔍
CVE: CVE-2020-5303 (🔍)
See also: 🔍
Entry
Created: 04/12/2020 08:23 AMUpdated: 05/18/2024 01:14 PM
Changes: 04/12/2020 08:23 AM (39), 04/12/2020 08:28 AM (11), 10/09/2020 02:34 PM (1), 05/18/2024 01:07 PM (18), 05/18/2024 01:14 PM (18)
Complete: 🔍
Cache ID: 34:D1F:40
No comments yet. Languages: en.
Please log in to comment.