CVE-2023-34451 — HIGH (8.2)

Q: How severe is CVE-2023-34451?

CVE-2023-34451 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-34451?

Check the references section above for vendor advisories and patch information. Affected products include: Cometbft Cometbft.

Vulnerability Description

CometBFT is a Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine and replicates it on many machines. The mempool maintains two data structures to keep track of outstanding transactions: a list and a map. These two data structures are supposed to be in sync all the time in the sense that the map tracks the index (if any) of the transaction in the list. In `v0.37.0`, and `v0.37.1`, as well as in `v0.34.28`, and all previous releases of the CometBFT repo2, it is possible to have them out of sync. When this happens, the list may contain several copies of the same transaction. Because the map tracks a single index, it is then no longer possible to remove all the copies of the transaction from the list. This happens even if the duplicated transaction is later committed in a block. The only way to remove the transaction is by restarting the node. The above problem can be repeated on and on until a sizable number of transactions are stuck in the mempool, in order to try to bring down the target node. The problem is fixed in releases `v0.34.29` and `v0.37.2`. Some workarounds are available. Increasing the value of `cache_size` in `config.toml` makes it very difficult to effectively attack a full node. Not exposing the transaction submission RPC's would mitigate the probability of a successful attack, as the attacker would then have to create a modified (byzantine) full node to be able to perform the attack via p2p.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cometbft	Cometbft	>= 0.34.28, < 0.34.29

Related Weaknesses (CWE)

CWE-401

References

https://github.com/cometbft/cometbft/pull/890ExploitIssue TrackingPatch
https://github.com/cometbft/cometbft/security/advisories/GHSA-w24w-wp77-qffmExploitMitigationVendor Advisory
https://github.com/tendermint/tendermint/pull/2778Issue TrackingPatch
https://github.com/cometbft/cometbft/pull/890ExploitIssue TrackingPatch
https://github.com/cometbft/cometbft/security/advisories/GHSA-w24w-wp77-qffmExploitMitigationVendor Advisory
https://github.com/tendermint/tendermint/pull/2778Issue TrackingPatch

FAQ

What is CVE-2023-34451?

CVE-2023-34451 is a vulnerability with a CVSS score of 8.2 (HIGH). CometBFT is a Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine and replicates it on many machines. The mempool maintains two data structures to keep track of outstanding...

How severe is CVE-2023-34451?

CVE-2023-34451 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-34451?

Check the references section above for vendor advisories and patch information. Affected products include: Cometbft Cometbft.