Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qMzVwLXEyNHItNTM2N80_ng

Dep Group Remote Memory Exhaustion (Denial of Service) in ckb

Impact

A remote attacker could exploit this vulnerability to exhaust ckb process memory of an affected node.

Patches

Upgrade to 0.43.1 or later.

References

After resolving the outpoints of one dep group, we put the corresponding content into a vec ( https://github.com/nervosnetwork/ckb/blob/v0.42.0/util/types/src/core/cell.rs#L600-L617 ), there is a vulnerability to a memory dos attack because there is no determination of whether the outpoints is duplicated.

PoC:

before send dos tx rss:
105700

after rss:
2306932

DoS cost: 25.6 KB * 150 + dep_tx out_points capacity ( 36 * 150 * 100 = 540000 ) = 4380000 CKB
Send 50 dos_tx, memory exhausted: (25.6 KB * 150 * 100) * 50 = 19.2 GB

Permalink: https://github.com/advisories/GHSA-j35p-q24r-5367
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qMzVwLXEyNHItNTM2N80_ng
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: about 2 years ago

Identifiers: GHSA-j35p-q24r-5367
References:

Repository: https://github.com/nervosnetwork/ckb
Blast Radius: 1.0

Affected Packages

cargo:ckb

Dependent packages: 0
Dependent repositories: 0
Downloads: 75,522 total
Affected Version Ranges: < 0.43.1
Fixed in: 0.43.1
All affected versions: 0.1.0, 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.40.0, 0.42.0, 0.43.0
All unaffected versions: 0.43.2, 0.100.0, 0.101.0, 0.101.1, 0.101.2, 0.101.3, 0.101.4, 0.101.5, 0.101.6, 0.101.7, 0.101.8, 0.102.0, 0.103.0, 0.104.0, 0.104.1, 0.105.0, 0.105.1, 0.106.0, 0.107.0, 0.108.0, 0.108.1, 0.109.0, 0.110.0, 0.110.1, 0.110.2, 0.111.0, 0.112.0, 0.112.1, 0.113.0, 0.113.1, 0.114.0, 0.115.0, 0.116.0, 0.116.1, 0.117.0, 0.118.0, 0.119.0, 0.120.0, 0.121.0