CVE-2023-34451
published 2023-07-03CVE-2023-34451: CometBFT is a Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine and replicates it on many machines. The mempool maintains two…
PriorityP340high8.2CVSS 3.1
AVNACLPRNUINSUCNILAH
EPSS
0.74%
50.0th percentile
CometBFT is a Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine and replicates it on many machines. The mempool maintains two data structures to keep track of outstanding transactions: a list and a map.
These two data structures are supposed to be in sync all the time in the sense that the map tracks the index (if any) of the transaction in the list. In `v0.37.0`, and `v0.37.1`, as well as in `v0.34.28`, and all previous releases of the CometBFT repo2, it is possible to have them out of sync. When this happens, the list may contain several copies of the same transaction. Because the map tracks a single index, it is then no longer possible to remove all the copies of the transaction from the list. This happens even if the duplicated transaction is later committed in a block. The only way to remove the transaction is by restarting the node.
The above problem can be repeated on and on until a sizable number of transactions are stuck in the mempool, in order to try to bring down the target node. The problem is fixed in releases `v0.34.29` and `v0.37.2`. Some workarounds are available. Increasing the value of `cache_size` in `config.toml` makes it very difficult to effectively attack a full node. Not exposing the transaction submission RPC's would mitigate the probability of a successful attack, as the attacker would then have to create a modified (byzantine) full node to be able to perform the attack via p2p.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cometbft | cometbft | < 0.34.29 | 0.34.29 |
| cometbft | cometbft | — | — |
| cometbft | cometbft | >= 0.34.28 < 0.34.29 | 0.34.29 |
| cometbft | cometbft | >= 0.37.0 < 0.37.2 | 0.37.2 |
| github.com | cometbft_cometbft | >= 0 < 0.37.2 | 0.37.2 |
| github.com | cometbft_cometbft | >= 0 < 0.34.29 | 0.34.29 |
| github.com | cometbft_cometbft | >= 0.37.0 < 0.37.2 | 0.37.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Denial of service via OOM in github.com/cometbft/cometbft
osv·2023-07-13
CVE-2023-34451 Denial of service via OOM in github.com/cometbft/cometbft
Denial of service via OOM in github.com/cometbft/cometbft
A bug in the CometBFT middleware causes the mempool's two data structures to fall out of sync. This can lead to duplicate transactions that cannot be removed, even after they are committed in a block. The only way to remove the transaction is to restart the node. This can be exploited by an attacker to bring down a node by repeatedly submitting duplicate transactions.
GHSA
CometBFT may duplicate transactions in the mempool's data structures
ghsa·2023-07-05
CVE-2023-34451 [HIGH] CWE-401 CometBFT may duplicate transactions in the mempool's data structures
CometBFT may duplicate transactions in the mempool's data structures
### Impact
The mempool maintains two data structures to keep track of outstanding transactions: a list and a map.
These two data structures are supposed to be in sync all the time in the sense that the map tracks the index (if any) of the transaction in the list.
Unfortunately, it is possible to have them out of sync. When this happens, the list may contain several copies of the same transaction.
Because the map tracks a single index, it is then no longer possible to remove all the copies of the transaction from the list.
This happens even if the duplicated transaction is later committed in a block.
The only way to remove the transaction is by restarting the node.
These are the steps to cause the above duplication pro
OSV
CometBFT may duplicate transactions in the mempool's data structures
osv·2023-07-05
CVE-2023-34451 [HIGH] CometBFT may duplicate transactions in the mempool's data structures
CometBFT may duplicate transactions in the mempool's data structures
### Impact
The mempool maintains two data structures to keep track of outstanding transactions: a list and a map.
These two data structures are supposed to be in sync all the time in the sense that the map tracks the index (if any) of the transaction in the list.
Unfortunately, it is possible to have them out of sync. When this happens, the list may contain several copies of the same transaction.
Because the map tracks a single index, it is then no longer possible to remove all the copies of the transaction from the list.
This happens even if the duplicated transaction is later committed in a block.
The only way to remove the transaction is by restarting the node.
These are the steps to cause the above duplication pro
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/cometbft/cometbft/pull/890https://github.com/cometbft/cometbft/security/advisories/GHSA-w24w-wp77-qffmhttps://github.com/tendermint/tendermint/pull/2778https://github.com/cometbft/cometbft/pull/890https://github.com/cometbft/cometbft/security/advisories/GHSA-w24w-wp77-qffmhttps://github.com/tendermint/tendermint/pull/2778
2023-07-03
Published