Internet Computer ic-cdk up to 0.15.0 ic_cdk::call memory leak

Summaryinfo

A vulnerability was found in Internet Computer ic-cdk up to 0.15.0. It has been rated as critical. This affects the function ic_cdk::call. The manipulation leads to memory leak. This vulnerability is uniquely identified as CVE-2024-7884. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Internet Computer ic-cdk up to 0.15.0 and classified as critical. This issue affects the function ic_cdk::call. The manipulation with an unknown input leads to a memory leak vulnerability. Using CWE to declare the problem leads to CWE-401. The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. Impacted is availability. The summary by CVE is:

When a canister method is called via ic_cdk::call* , a new Future CallFuture is created and can be awaited by the caller to get the execution result. Internally, the state of the Future is tracked and stored in a struct called CallFutureState. A bug in the polling implementation of the CallFuture allows multiple references to be held for this internal state and not all references were dropped before the Future is resolved. Since we have unaccounted references held, a copy of the internal state ended up being persisted in the canister's heap and thus causing a memory leak. Impact Canisters built in Rust with ic_cdk and ic_cdk_timers are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. In the worst case, this could lead to heap memory exhaustion triggered by an attacker. Motoko based canisters are not affected by the bug. PatchesThe patch has been backported to all minor versions between >= 0.8.0, <= 0.15.0. The patched versions available are 0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1 and their previous versions have been yanked. WorkaroundsThere are no known workarounds at the moment. Developers are recommended to upgrade their canister as soon as possible to the latest available patched version of ic_cdk to avoid running out of Wasm heap memory. Upgrading the canisters (without updating `ic_cdk`) also frees the leaked memory but it's only a temporary solution.

It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2024-7884 since 08/16/2024. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1499 according to MITRE ATT&CK.

Upgrading to version 0.8.2, 0.9.3, 0.10.1, 0.11.5, 0.12.2, 0.13.4, 0.14.1 or 0.15.1 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Vendor

• Internet Computer

Name

• ic-cdk

Version

• 0.1
• 0.2
• 0.3
• 0.4
• 0.5
• 0.6
• 0.7
• 0.8
• 0.8.0
• 0.8.1
• 0.9
• 0.9.0
• 0.9.1
• 0.9.2
• 0.10
• 0.10.0
• 0.11
• 0.11.0
• 0.11.1
• 0.11.2
• 0.11.3
• 0.11.4
• 0.12
• 0.12.0
• 0.12.1
• 0.13
• 0.13.0
• 0.13.1
• 0.13.2
• 0.13.3
• 0.14
• 0.14.0
• 0.15.0

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion