Name: ASA-2024-011: Vote Extensions: Panic when receiving a Pre-commit with an invalid data
Component: CometBFT
Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2)
Affected versions: >= 0.38.x
, unreleased v1.x
and main
development branches
Affected users: Chain Builders + Maintainers, Validators
Impact
A CometBFT node running in a network with vote extensions enabled could produce an invalid Vote
message and send it to its peers. The invalid field of the Vote
message is the ValidatorIndex
, which identifies the sender in the ValidatorSet
running that height of consensus. This field is ordinarily verified in the processing of Vote
messages, but it turns out that in the case of a Vote
message of type Precommit
and for a non-nil
BlockID
, a logic was introduced before this ordinary verification to handle the attached vote extension. This introduced logic (not present in releases prior to 0.38.x
) does not double-check the validity of the ValidatorIndex
field. The result is a panic in the execution of the node receiving and processing such message.
Impact Qualification
This condition requires the introduction of malicious code in the full node sending this Vote
message to its peers. Namely, nodes running upstream code cannot produce invalid Vote
messages, with non-existing ValidatorIndex
. Moreover, networks utilizing default behavior, where vote extensions are not enabled, are not affected by this issue.
Patches
The new CometBFT release v0.38.15
fixes this issue.
Unreleased code in the main
and v1.x
branches, and experimental code in the v0.38-experimental
and v1.x-experimental
branches are patched as well.
Workarounds
When the consensus code panics after receiving an invalid Vote
message, the operator can identify the peer from which that message was received. This may require increasing the logging level of the consensus
module. This peer can then be subsequently banned at the p2p layer as a temporary mitigation.
References
Timeline
- October 21, 2024, 3:26pm PST: Issue reported to the Cosmos Bug Bounty program
- October 21, 2024, 3:41pm PST: Issue triaged by Amulet on-call, and distributed to Core team
- October 29, 2024, 11:35pm PST: Core team completes validation of issue
- October 30, 2024, 3:33am PST: Core team completes patch for issue
- October 30, 2024, 5:09am PST: Amulet creates coordination plan; schedule for distribution
- November 4, 2024, 8:00pm GMT: Pre-notification delivered
- November 6, 2024, 8:00am GMT: Patch made available
This issue was reported by corverroos to the Cosmos Bug Bounty Program on HackerOne on October 21, 2024. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.
References
Name: ASA-2024-011: Vote Extensions: Panic when receiving a Pre-commit with an invalid data
Component: CometBFT
Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2)
Affected versions:
>= 0.38.x
, unreleasedv1.x
andmain
development branchesAffected users: Chain Builders + Maintainers, Validators
Impact
A CometBFT node running in a network with vote extensions enabled could produce an invalid
Vote
message and send it to its peers. The invalid field of theVote
message is theValidatorIndex
, which identifies the sender in theValidatorSet
running that height of consensus. This field is ordinarily verified in the processing ofVote
messages, but it turns out that in the case of aVote
message of typePrecommit
and for a non-nil
BlockID
, a logic was introduced before this ordinary verification to handle the attached vote extension. This introduced logic (not present in releases prior to0.38.x
) does not double-check the validity of theValidatorIndex
field. The result is a panic in the execution of the node receiving and processing such message.Impact Qualification
This condition requires the introduction of malicious code in the full node sending this
Vote
message to its peers. Namely, nodes running upstream code cannot produce invalidVote
messages, with non-existingValidatorIndex
. Moreover, networks utilizing default behavior, where vote extensions are not enabled, are not affected by this issue.Patches
The new CometBFT release
v0.38.15
fixes this issue.Unreleased code in the
main
andv1.x
branches, and experimental code in thev0.38-experimental
andv1.x-experimental
branches are patched as well.Workarounds
When the consensus code panics after receiving an invalid
Vote
message, the operator can identify the peer from which that message was received. This may require increasing the logging level of theconsensus
module. This peer can then be subsequently banned at the p2p layer as a temporary mitigation.References
Timeline
This issue was reported by corverroos to the Cosmos Bug Bounty Program on HackerOne on October 21, 2024. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.
References