Cosmos-sdk vulnerability retrospective

[grepsuzette]

I've been making some researchs these past 2 days on the topic of past vulnerabilities affecting cosmos libraries. I will start a list here (there must be more):

2022-10-07 500M USD Binance hack

• exploited vulnerable iavl module in the bridge between Binance Chain and BSC.
• current GNO codebase is vulnerable
• there's a pending fix
• The Cosmos ecosystem was not affected, as modern cosmos/iavl had started to depend on cosmos/ics23 (which doesn't use range proofs).
• More about it:
  • Ethan Buchman's (10oct22) on twitter
  • Excellent analysis by Beosin

2022-10-08 Dragonberry

• it allowed the forgery of IBC timeouts, allowing drain of all ICS-20 escrow accounts ("all funds in IBC channels across Cosmos networks were vulnerable to this exploit")
• discovered by Dev Ojha (Valardragon) in the aftermath of Binance hack.
• was a critical vulnerability in the ics23 implementation used by modern iavl
• in my understanding, GNO is not affected
  • (because current pkgs/iavl is old and therefore its implementation does not depend upon cosmos/ics23)
• More about it:
  • ebuchman's retrospective at forum.cosmos

2022-10-11 Elderflower

• discovered by Alex Peters from Confio and in parallel by core developers from Axelar
• was a vulnerability in the authz module,
• in my understanding, GNO is not affected
  • (because it does not use the authz module)
• More about it:
  • aforementioned ebuchman retrospective

Verichain public advisory VSA-2022-100

• Tendermint/Cosmos maintainer warned privately in october, revealed publicly 120 days later,
• About a "significant Empty Merkle Tree vulnerability in the IAVL proof on Tendermint Core"
• Potentially affects GNO
  • Verichain indicates it affectts "Tendermint (all versions)"
  • Was acknowledged by tendermint, but "not fixed" because "IBC and Cosmos-SDK implementation had already migrated to ICS-23 from IAVL merkle proof verifications"
• Read more at VSA-2022-100

Verichain public advisory VSA-2022-101, CVE-2023-27575

• Tendermint/Cosmos maintainer warned privately in october, revealed publicly 120 days later,
• Nicknamed "From Nil to Spoof – Critical IAVL Spoofing Attack via Multiple Vulnerabilities"
• Seems GNO is not affected.
  • Verichain indicates it affects "BNB Chain".
  • Seems the exploitation of aforementioned VSA-2022-100 ProofOpValue bug in Tendermint, but applied to go/ethereum + tendermint that is used by Binance.
  • If GNO is affected, it would be by VSA-2022-100.
• Read more at VSA-2022-101

[grepsuzette]

Some more vulns. We will obviously need a much better method, contact people in the know and access better place than Google, Twitter or exploit-db like as I've been doing now. For instance https://github.com/tendermint/tendermint/security/advisories lists 4 vulns publicly, but there are undisclosed ones from the list above. Also, preventive fixes must not have been listed so we can be vulnerable even in the absence of a listed vuln. Anyway, I still consider this list helpful.

DoS CVE-2019-25072

"Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector."

• Denial of service
• GNO seems partially protected:
  • protected, because

    gno/pkgs/bft/rpc/lib/client/http_client.go

    Lines 110 to 118 in 469b97a

    	func DefaultHTTPClient(remoteAddr string) *http.Client {
    	return &http.Client{
    	Transport: &http.Transport{
    	// Set to true to prevent GZIP-bomb DoS attacks
    	DisableCompression: true,
    	Dial: makeHTTPDialer(remoteAddr),
    	},
    	}
    	}

  • partially, because pkgs/bft/rpc/lib/client/http_client.go NewHTTPWithClient() allows creating clients without disabled compressions. That function may require either enforcing the flag manually (to disable compression) or add a comment to warn about the risk:
• More about it:
  • https://www.cvedetails.com/cve/CVE-2019-25072/
  • tendermint/tendermint@03085c2
  • rpc: client disable compression tendermint/tendermint#3430

[grepsuzette]

"Lavender" CVE-2020-5303

"Tendermint before versions 0.33.3, 0.32.10, and 0.31.12 has a denial-of-service vulnerability. Tendermint does not limit the number of P2P connection requests. For each p2p connection, it allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions. Additionally, Tendermint does not reclaim activeID of a peer after it's removed in Mempool reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the Peer is created and added to all reactors. RemovePeer is therefore called before AddPeer, which leads to always growing memory (activeIDs map). The activeIDs map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting above denial of service), which ultimately will lead to the node panicking. These issues are patched in Tendermint 0.33.3 and 0.32.10."

• publish date: 2020-04-10
• Denial of service, severity in github advisory: High
• GNO appears unpatched
  • compare for instance pkgs/bft/node/node.go:379 with the patch below
• More about it:
  • GHSA-v24h-pjjv-mcp6
  • https://www.cvedetails.com/cve/CVE-2020-5303/
  • Patch at tendermint/tendermint@e2d6859

[grepsuzette]

"Syringa" CVE-2020-15091

"TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (without changing chainID). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit."

• Publish Date : 2020-07-02
• Denial of service
• GNO appears unpatched
  • compare for instance pkgs/bft/node/node.go:540 with the patch below
• GHSA-6jqj-f58p-mrw3
• https://www.cvedetails.com/cve/CVE-2020-15091/
• Patch at tendermint/tendermint@480b995
• Consensus: "enterPrevote: ProposalBlock is invalid" - Error: "wrong signature" tendermint/tendermint#4926

[grepsuzette]

"Mulberry" CVE-2021-21271

"Tendermint Core v0.34.0 introduced a new way of handling evidence of misbehavior. As part of this, we added a new Timestamp field to Evidence structs. This timestamp would be calculated using the same algorithm that is used when a block is created and proposed. (This algorithm relies on the timestamp of the last commit from this specific block.) In Tendermint Core v0.34.0-v0.34.2, the consensus reactor is responsible for forming DuplicateVoteEvidence whenever double signs are observed. However, the current block is still “in flight” when it is being formed by the consensus reactor. It hasn’t been finalized through network consensus yet. This means that different nodes in the network may observe different “last commits” when assigning a timestamp to DuplicateVoteEvidence. In turn, different nodes could form DuplicateVoteEvidence objects at the same height but with different timestamps. (...)"

• Publish Date : 2021-01-26
• GNO does not seem vulnerable to that threat,
  • because its pkgs/bft is older than v0.34,
  • inspection of the patch suggests it's not applicable to current pkgs/bft.
• denial-of-service vector which impacts networks running Tendermint Core v0.34.0 - v0.34.2.
• More about it:
  • https://github.com/tendermint/tendermint/blob/v0.34.3/CHANGELOG.md#v0.34.3
  • tendermint/tendermint@a2a6852
  • GHSA-p658-8693-mhvg
• https://www.cvedetails.com/cve/CVE-2021-21271/

[grepsuzette]

Last one, at least for now.

"Alderfly" GHSA-f3w5-v9xx-rp8p

• "Forward Lunatic Attack or FLA. Tendermint light clients running versions 0.34.0 to 0.34.8 are unable to detect and punish a new kind of attack. We’re calling this a “forward lunatic attack,” or FLA. The severity of this vulnerability is moderate."
• Publish Date: 2021-04-21
• GNO may be vulnerable
  • Need to study the link below,
  • more involved that most vulns listed here.
• More about it:
  • GHSA-f3w5-v9xx-rp8p

---

Btw there are other repo to inspect for vuln advisories.

"Tendermint bug bounty program ranks bugs affecting the following libs as Critical:"

https://github.com/tendermint/tendermint
https://github.com/cosmos/iavl
https://github.com/cosmos/cosmos-sdk
https://github.com/iqlusioninc/yubihsm.rs  (Restricted to the ed25519 pubkey and signing paths)
https://github.com/iqlusioninc/tmkms
https://github.com/iqlusioninc/crates/tree/main/signatory  (Restricted to the ed25519 provider sub-crates like dalek-ed25519 and ring)
https://github.com/cosmos/ledger-cosmos
https://github.com/cosmos/gaia
https://github.com/cosmos/ibc-go

Some of them are used in pkgs. I don't want to flood this topic right now.

[moul]

Do you think this is heading in the right direction, @jaekwon, or do you have an alternative plan to address these points?