CVE-2023-40583 - OpenCVE

libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Protocol	Libp2p

Configuration 1 [-]

cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*

References

Link	Resource
https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd	Patch
https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4	Release Notes
https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7	Release Notes
https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-08-25T20:25:28.297Z

Updated: 2023-08-25T20:25:28.297Z

Reserved: 2023-08-16T18:24:02.391Z

Link: CVE-2023-40583

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-08-25T21:15:09.000

Modified: 2023-09-01T13:10:55.577

Link: CVE-2023-40583

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-40583", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-16T18:24:02.391Z", "datePublished": "2023-08-25T20:25:28.297Z", "dateUpdated": "2023-08-25T20:25:28.297Z"}, "containers": {"cna": {"title": "libp2p nodes vulnerable to OOM attack", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"}, {"name": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd", "tags": ["x_refsource_MISC"], "url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"}, {"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"}, {"name": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"}], "affected": [{"vendor": "libp2p", "product": "go-libp2p", "versions": [{"version": "< 0.27.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-25T20:25:28.297Z"}, "descriptions": [{"lang": "en", "value": "libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node\u2019s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4."}], "source": {"advisory": "GHSA-gcq9-qqwx-rgj3", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*", "matchCriteriaId": "C5F4582C-9B6B-41FB-99E1-C3B2CB0E19AD", "versionEndExcluding": "0.27.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "libp2p is a networking stack and library modularized out of The IPFS Project, and bundled separately for other tools to use. In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node\u2019s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.) This issue was patched in version 0.27.4."}, {"lang": "es", "value": "libp2p es una pila de red y una biblioteca modularizada a partir del Proyecto IPFS, y empaquetada por separado para que otras herramientas puedan utilizarla. En go-libp2p, mediante el uso de registros de pares firmados, un actor malicioso puede almacenar una cantidad arbitraria de datos en la memoria de un nodo remoto. Esta memoria no se recoge de la basura, por lo que la v\u00edctima puede quedarse sin memoria y bloquearse. Si los usuarios de go-libp2p en producci\u00f3n no monitorizan el consumo de memoria a lo largo del tiempo, podr\u00eda tratarse de un ataque silencioso, es decir, el atacante podr\u00eda hacer caer nodos durante un periodo de tiempo (el tiempo depende de los recursos del nodo, es decir, un nodo go-libp2p en un servidor virtual con 4 gb de memoria tarda unos 90 segundos en caerse; en un servidor m\u00e1s grande, podr\u00eda tardar un poco m\u00e1s). Este problema fue corregido en la versi\u00f3n 0.27.4.\n"}], "id": "CVE-2023-40583", "lastModified": "2023-09-01T13:10:55.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-08-25T21:15:09.000", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/libp2p/go-libp2p/commit/45d3c6fff662ddd6938982e7e9309ad5fa2ad8dd"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.4"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/libp2p/go-libp2p/security/advisories/GHSA-gcq9-qqwx-rgj3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}