CVE-2020-15091 - OpenCVE

TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (**without changing chainID**). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Tendermint	Tendermint

Configuration 1 [-]

cpe:2.3:a:tendermint:tendermint:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340	Patch Third Party Advisory
https://github.com/tendermint/tendermint/issues/4926	Exploit Issue Tracking Third Party Advisory
https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-07-02T17:05:15

Updated: 2020-07-02T17:05:15

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15091

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-07-02T17:15:12.547

Modified: 2020-07-08T19:16:14.410

Link: CVE-2020-15091

JSON object: View

Redhat Information

No data.

CWE

CWE-347

{"containers": {"cna": {"affected": [{"product": "tendermint", "vendor": "tendermint", "versions": [{"status": "affected", "version": ">= 0.33.0, < 0.33.6"}]}], "descriptions": [{"lang": "en", "value": "TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (**without changing chainID**). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "{\"CWE-347\":\"Improper Verification of Cryptographic Signature\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-02T17:05:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tendermint/tendermint/issues/4926"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340"}], "source": {"advisory": "GHSA-6jqj-f58p-mrw3", "discovery": "UNKNOWN"}, "title": "Denial of Service in TenderMint", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15091", "STATE": "PUBLIC", "TITLE": "Denial of Service in TenderMint"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "tendermint", "version": {"version_data": [{"version_value": ">= 0.33.0, < 0.33.6"}]}}]}, "vendor_name": "tendermint"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (**without changing chainID**). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-347\":\"Improper Verification of Cryptographic Signature\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3", "refsource": "CONFIRM", "url": "https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3"}, {"name": "https://github.com/tendermint/tendermint/issues/4926", "refsource": "MISC", "url": "https://github.com/tendermint/tendermint/issues/4926"}, {"name": "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340", "refsource": "MISC", "url": "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340"}]}, "source": {"advisory": "GHSA-6jqj-f58p-mrw3", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15091", "datePublished": "2020-07-02T17:05:15", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2020-07-02T17:05:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tendermint:tendermint:*:*:*:*:*:*:*:*", "matchCriteriaId": "48BDDFA1-3EF9-4F28-9686-41B9A2898B79", "versionEndExcluding": "0.33.6", "versionStartIncluding": "0.33.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (**without changing chainID**). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit."}, {"lang": "es", "value": "TenderMint desde versi\u00f3n 0.33.0 y anteriores a versi\u00f3n 0.33.6, permite a proponentes de bloque incluir firmas para el bloque equivocado. Esto puede suceder naturalmente si inicia una red, la hace funcionar durante un tiempo y la reinicia (**without changing chainID**). Un proponente de bloque malicioso (inclusive con una cantidad m\u00ednima de participaci\u00f3n) puede usar esta vulnerabilidad para detener completamente la red. Este problema es corregido en Tendermint versi\u00f3n 0.33.6, que comprueba que todas las firmas son para el bloque con una mayor\u00eda de 2/3+ antes de crear una confirmaci\u00f3n"}], "id": "CVE-2020-15091", "lastModified": "2020-07-08T19:16:14.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-07-02T17:15:12.547", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/tendermint/tendermint/issues/4926"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Secondary"}]}