CVE-2020-5303
Denial of service in Tendermint
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Tendermint before versions 0.33.3, 0.32.10, and 0.31.12 has a denial-of-service vulnerability. Tendermint does not limit the number of P2P connection requests. For each p2p connection, it allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions. Additionally, Tendermint does not reclaim activeID of a peer after it's removed in Mempool reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the Peer is created and added to all reactors. RemovePeer is therefore called before AddPeer, which leads to always growing memory (activeIDs map). The activeIDs map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting above denial of service), which ultimately will lead to the node panicking. These issues are patched in Tendermint 0.33.3 and 0.32.10.
Tendermint versiones anteriores a 0.33.3, 0.32.10 y 0.31.12, presenta una vulnerabilidad de denegación de servicio. Tendermint no limita el número de peticiones de conexión P2P. Para cada conexión p2p, asigna XXX bytes. Aun cuando esta memoria es de tipo garbage collected una vez que se termina la conexión (debido a IP duplicada o que alcanza un número máximo de peers entrantes), los picos de memoria temporales pueden conllevar a excepciones OOM (Fuera de la Memoria). Adicionalmente, Tendermint no recupera el "activeID" de un peer después de que es eliminado en el reactor Mempool. Esto no sucede todo el tiempo. Solo se presenta cuando se produce un fallo de conexión (por cualquier motivo) antes de que el Peer sea creado y agregado a todos los reactores. RemovePeer, por lo tanto, es llamado antes "AddPeer", lo que conlleva a una memoria creciente siempre (mapa "activeIDs"). El mapa activeIDs presenta un tamaño máximo de 65535 y el nodo entrará en pánico si este mapa alcanza el máximo. Un atacante puede crear muchos intentos de conexión (explotar por encima de la denegación de servicio), lo que finalmente conllevará al pánico del nodo. Estos problemas están parcheados en Tendermint versiones 0.33.3 y 0.32.10
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-01-02 CVE Reserved
- 2020-04-10 CVE Published
- 2024-02-13 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-787: Out-of-bounds Write
- CWE-789: Memory Allocation with Excessive Size Value
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/tendermint/tendermint/security/advisories/GHSA-v24h-pjjv-mcp6 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/tendermint/tendermint/commit/e2d6859afd7dba4cf97c7f7d412e7d8fc908d1cd | 2020-06-30 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Tendermint Search vendor "Tendermint" | Tendermint Search vendor "Tendermint" for product "Tendermint" | < 0.31.12 Search vendor "Tendermint" for product "Tendermint" and version " < 0.31.12" | - |
Affected
| ||||||
| Tendermint Search vendor "Tendermint" | Tendermint Search vendor "Tendermint" for product "Tendermint" | >= 0.32.0 < 0.32.10 Search vendor "Tendermint" for product "Tendermint" and version " >= 0.32.0 < 0.32.10" | - |
Affected
| ||||||
| Tendermint Search vendor "Tendermint" | Tendermint Search vendor "Tendermint" for product "Tendermint" | >= 0.33.0 < 0.33.3 Search vendor "Tendermint" for product "Tendermint" and version " >= 0.33.0 < 0.33.3" | - |
Affected
| ||||||