GHSA-8WCC-M6J2-QXVM
Vulnerability from github – Published: 2024-12-16 19:33 – Updated: 2024-12-23 17:13Summary
ASA-2024-0012
Name: ASA-2024-0012, Transaction decoding may result in a stack overflow Component: Cosmos SDK Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2) Affected versions: cosmos-sdk versions <= v0.50.10, <= v0.47.14 Affected users: Chain Builders + Maintainers, Validators, node operators
ASA-2024-0013
Name: ASA-2024-0013: CosmosSDK: Transaction decoding may result in resource exhaustion
Component: Cosmos SDK
Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2)
Affected versions: cosmos-sdk versions <= v0.50.10, <= v0.47.14
Affected users: Chain Builders + Maintainers, Validators, node operators
Impact
ASA-2024-0012
When decoding a maliciously formed packet with a deeply-nested structure, it may be possible for a stack overflow to occur and result in a network halt. This was addressed by adding a recursion limit while decoding the packet.
ASA-2024-0013
Nested messages in a transaction can consume exponential cpu and memory on UnpackAny calls. Themax_tx_bytes sets a limit for external TX but is not applied for internal messages emitted by wasm contracts or a malicious validator block. This may result in a node crashing due to resource exhaustion. This was addressed by adding additional validation to prevent this condition.
Patches
The issues above are resolved in Cosmos SDK versions v0.47.15 or v0.50.11. Please upgrade ASAP.
Timeline for ASA-2024-0012
- October 1, 2024, 12:29pm UTC: Issue reported to the Cosmos Bug Bounty program
- October 1, 2024, 2:47pm UTC: Issue triaged by Amulet on-call, and distributed to Core team
- December 9, 2024, 11:13am UTC: Core team completes patch for issue
- Dec 14, 2024,16:00 UTC: Pre-notification delivered
- Dec 16, 2024, 16:00 UTC: Patch made available
This issue was reported to the Cosmos Bug Bounty Program on HackerOne on October 1, 2024.
Timeline for ASA-2024-0013
- October 19, 2024, 8:12pm UTC: Issue reported to the Cosmos Bug Bounty program
- October 19, 2024, 8:28pm UTC: Issue triaged by Amulet on-call, and distributed to Core team
- December 11, 2024, 3:31pm UTC: Core team completes patch for issue
- Dec 14, 2024, 16:00 UTC: Pre-notification delivered
- Dec 16, 2024, 16:00 UTC: Patch made available
This issue was reported by LonelySloth to the Cosmos Bug Bounty Program on HackerOne on October 19, 2024.
If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
If you have questions about Interchain security efforts, please reach out to our official communication channel at security@interchain.io. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/cosmos/cosmos-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0.50.0-alpha.0"
},
{
"fixed": "0.50.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/cosmos/cosmos-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.47.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "cosmossdk.io/x/tx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-16T19:33:30Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary \n\n### ASA-2024-0012\nName: ASA-2024-0012, Transaction decoding may result in a stack overflow\nComponent: Cosmos SDK\nCriticality: High (Considerable Impact, and Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: cosmos-sdk versions \u003c= v0.50.10, \u003c= v0.47.14\nAffected users: Chain Builders + Maintainers, Validators, node operators\n\n### ASA-2024-0013\nName: ASA-2024-0013: CosmosSDK: Transaction decoding may result in resource exhaustion \nComponent: Cosmos SDK\nCriticality: High (Considerable Impact, and Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: cosmos-sdk versions \u003c= v0.50.10, \u003c= v0.47.14\nAffected users: Chain Builders + Maintainers, Validators, node operators\n\n\n\n### Impact\n\n### ASA-2024-0012\n\nWhen decoding a maliciously formed packet with a deeply-nested structure, it may be possible for a stack overflow to occur and result in a network halt. This was addressed by adding a recursion limit while decoding the packet.\n\n### ASA-2024-0013\n\nNested messages in a transaction can consume exponential cpu and memory on `UnpackAny` calls. The`max_tx_bytes` sets a limit for external TX but is not applied for internal messages emitted by wasm contracts or a malicious validator block. This may result in a node crashing due to resource exhaustion. This was addressed by adding additional validation to prevent this condition.\n\n\n### Patches\n\nThe issues above are resolved in Cosmos SDK versions v0.47.15 or v0.50.11.\nPlease upgrade ASAP.\n\n### Timeline for ASA-2024-0012\n\n* October 1, 2024, 12:29pm UTC: Issue reported to the Cosmos Bug Bounty program\n* October 1, 2024, 2:47pm UTC: Issue triaged by Amulet on-call, and distributed to Core team\n* December 9, 2024, 11:13am UTC: Core team completes patch for issue\n* Dec 14, 2024,16:00 UTC: Pre-notification delivered\n* Dec 16, 2024, 16:00 UTC: Patch made available\n\nThis issue was reported to the Cosmos Bug Bounty Program on HackerOne on October 1, 2024.\n\n### Timeline for ASA-2024-0013\n\n* October 19, 2024, 8:12pm UTC: Issue reported to the Cosmos Bug Bounty program\n* October 19, 2024, 8:28pm UTC: Issue triaged by Amulet on-call, and distributed to Core team\n* December 11, 2024, 3:31pm UTC: Core team completes patch for issue\n* Dec 14, 2024, 16:00 UTC: Pre-notification delivered\n* Dec 16, 2024, 16:00 UTC: Patch made available\n\nThis issue was reported by LonelySloth to the Cosmos Bug Bounty Program on HackerOne on October 19, 2024. \n\n\nIf you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation\u2019s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security. ",
"id": "GHSA-8wcc-m6j2-qxvm",
"modified": "2024-12-23T17:13:22Z",
"published": "2024-12-16T19:33:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-8wcc-m6j2-qxvm"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/commit/c6b1bdcd5628e3e425a3f02881d3c7db1d7af653"
},
{
"type": "PACKAGE",
"url": "https://github.com/cosmos/cosmos-sdk"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.15"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ASA-2024-0012, ASA-2024-0013: CosmosSDK: Transaction decoding may result in a stack overflow or resource exhaustion "
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.