Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qNDk0LTd4MnYtdnZ2cM4AA0sO
mx-chain-go's relayed transactions always increment nonce
Impact
When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction's sender account nonce. This could have contributed to a limited DoS attack on a targeted account. The fix is a breaking change so a new flag RelayedNonceFixEnableEpoch was needed. This was a strict processing issue while validating blocks on a chain.
Patches
v1.4.17 and later versions contain the fix for this issue
Workarounds
there were no workarounds for this issue. The affected account could only wait for the DoS attack to finish as the attack was not free or to attempt to send transactions in a very fast manner so as to compete on the same nonce with the attacker.
References
For the future understanding of this issue, on v1.4.17 and onwards versions, we have this integration test that addresses the issue and tests the fix.
https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNDk0LTd4MnYtdnZ2cM4AA0sO
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 6 months ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H
Identifiers: GHSA-j494-7x2v-vvvp, CVE-2023-34458
References:
- https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp
- https://github.com/multiversx/mx-chain-go/commit/babdb144f1316ab6176bf3dbd7d4621120414d43
- https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14
- https://github.com/multiversx/mx-chain-go/releases/tag/v1.4.17
- https://nvd.nist.gov/vuln/detail/CVE-2023-34458
- https://github.com/advisories/GHSA-j494-7x2v-vvvp
Blast Radius: 0.0
Affected Packages
go:github.com/multiversx/mx-chain-go
Dependent packages: 10Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.4.17
Fixed in: 1.4.17
All affected versions: 0.0.4, 0.0.5, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.19, 1.0.20, 1.0.23, 1.0.24, 1.0.25, 1.0.28, 1.0.29, 1.0.30, 1.0.31, 1.0.33, 1.0.34, 1.0.35, 1.0.36, 1.0.37, 1.0.38, 1.0.39, 1.0.40, 1.0.41, 1.0.42, 1.0.44, 1.0.45, 1.0.47, 1.0.48, 1.0.49, 1.0.50, 1.0.51, 1.0.52, 1.0.53, 1.0.54, 1.0.55, 1.0.56, 1.0.57, 1.0.58, 1.0.59, 1.0.60, 1.0.61, 1.0.62, 1.0.63, 1.0.64, 1.0.65, 1.0.66, 1.0.67, 1.0.68, 1.0.69, 1.0.70, 1.0.71, 1.0.72, 1.0.73, 1.0.74, 1.0.75, 1.0.76, 1.0.77, 1.0.78, 1.0.79, 1.0.80, 1.0.81, 1.0.82, 1.0.83, 1.0.84, 1.0.85, 1.0.86, 1.0.87, 1.0.88, 1.0.89, 1.0.91, 1.0.92, 1.0.93, 1.0.94, 1.0.95, 1.0.96, 1.0.97, 1.0.98, 1.0.99, 1.0.100, 1.0.101, 1.0.102, 1.0.103, 1.0.104, 1.0.105, 1.0.106, 1.0.107, 1.0.108, 1.0.109, 1.0.110, 1.0.111, 1.0.112, 1.0.113, 1.0.114, 1.0.115, 1.0.116, 1.0.117, 1.0.118, 1.0.120, 1.0.121, 1.0.122, 1.0.123, 1.0.124, 1.0.125, 1.0.126, 1.0.127, 1.0.128, 1.0.129, 1.0.130, 1.0.131, 1.0.132, 1.0.133, 1.0.134, 1.0.135, 1.0.136, 1.0.137, 1.0.138, 1.0.139, 1.0.140, 1.0.141, 1.0.142, 1.0.143, 1.0.144, 1.0.145, 1.0.146, 1.0.147, 1.0.148, 1.0.149, 1.0.150, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 1.1.19, 1.1.20, 1.1.21, 1.1.22, 1.1.23, 1.1.24, 1.1.25, 1.1.26, 1.1.27, 1.1.28, 1.1.29, 1.1.30, 1.1.31, 1.1.32, 1.1.33, 1.1.34, 1.1.35, 1.1.36, 1.1.37, 1.1.38, 1.1.39, 1.1.40, 1.1.41, 1.1.42, 1.1.43, 1.1.44, 1.1.45, 1.1.46, 1.1.47, 1.1.48, 1.1.49, 1.1.50, 1.1.51, 1.1.52, 1.1.53, 1.1.54, 1.1.55, 1.1.56, 1.1.57, 1.1.58, 1.1.59, 1.1.60, 1.1.61, 1.1.62, 1.1.63, 1.1.64, 1.1.65, 1.1.66, 1.1.67, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.7, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16, 1.2.17, 1.2.18, 1.2.19, 1.2.20, 1.2.21, 1.2.22, 1.2.23, 1.2.24, 1.2.25, 1.2.26, 1.2.27, 1.2.28, 1.2.29, 1.2.30, 1.2.31, 1.2.32, 1.2.33, 1.2.34, 1.2.35, 1.2.36, 1.2.37, 1.2.38, 1.2.40, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.3.15, 1.3.16, 1.3.17, 1.3.18, 1.3.19, 1.3.20, 1.3.21, 1.3.22, 1.3.23, 1.3.24, 1.3.25, 1.3.26, 1.3.27, 1.3.28, 1.3.29, 1.3.30, 1.3.31, 1.3.32, 1.3.33, 1.3.34, 1.3.35, 1.3.36, 1.3.37, 1.3.38, 1.3.39, 1.3.40, 1.3.41, 1.3.42, 1.3.43, 1.3.44, 1.3.45, 1.3.46, 1.3.47, 1.3.48, 1.3.49, 1.3.50, 1.3.51, 1.3.52, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16
All unaffected versions: 1.4.17, 1.4.18, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.16, 1.6.17, 1.6.18, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8