Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(security): close DDoS vulnerability in eth tx consistenty strategy #2001

Closed
petermetz opened this issue May 4, 2022 · 6 comments · Fixed by #2036
Closed

fix(security): close DDoS vulnerability in eth tx consistenty strategy #2001

petermetz opened this issue May 4, 2022 · 6 comments · Fixed by #2036
Assignees
Labels
Besu Breaking_V2 Changes that can only be made with the release of v3.0.0 due to them being breaking changes. bug Something isn't working P2 Priority 2: High Quorum Security Related to existing or potential security vulnerabilities Xdai Tasks/bugs related to the Xdai network and the corresponding ledger connector plugin in Cactus

Comments

@petermetz
Copy link
Contributor

petermetz commented May 4, 2022

Description

The application performs some repetitive tasks in a loop and defines the number of times to perform the loop according to user input. A very high value could cause the application to get stuck in the loop and to be unable to continue to other operations.

Affected files are all the eth flavored connector plugins that have the consistencyStrategy request parameter when executing transactions.

  • packages/cactus-plugin-ledger-connector-besu/src/main/typescript/plugin-ledger-connector-besu.ts
  • packages/cactus-plugin-ledger-connector-xdai/src/main/typescript/plugin-ledger-connector-xdai.ts
  • packages/cactus-plugin-ledger-connector-quorum/src/main/typescript/plugin-ledger-connector-quorum.ts
    do {
      tries++;
      timedOut = Date.now() >= startedAt.getTime() + timeoutMs;
      if (timedOut) {
        break;
      }

      txReceipt = await this.web3.eth.getTransactionReceipt(txHash);
      if (!txReceipt) {
        continue;
      }

      const latestBlockNo = await this.web3.eth.getBlockNumber();
      confirmationCount = latestBlockNo - txReceipt.blockNumber;
    } while (confirmationCount >= consistencyStrategy.blockConfirmations);

Impact

An attacker could input a very high value, potentially causing a denial of service (DoS).

Remediation Recommendation

Don't base a loop on loosely validated user-provided data. The range should be limited. Always include a maximum value for each user input in the openapi.json specs.

Change the maximum for allowed block count to 20 thousand (a little over what the ethereum main net confirms in a 72 hour period according to the latest statistics at time of this writing: https://ycharts.com/indicators/ethereum_blocks_per_day

Breaking Change Discussion

Fixing this will be a breaking change, because previously valid requests will now get rejected by the API server.
An argument could be made that it's only a breaking change for those who were previously sending malicious requests and for no one else and therefore it is not really a breaking change even though it technically is.

@izuru0 @takeutak @jagpreetsinghsasan Please weigh in on the question presented in Breaking Change Discussion

@petermetz petermetz added Besu Breaking_V2 Changes that can only be made with the release of v3.0.0 due to them being breaking changes. bug Something isn't working P2 Priority 2: High Quorum Security Related to existing or potential security vulnerabilities Xdai Tasks/bugs related to the Xdai network and the corresponding ledger connector plugin in Cactus labels May 4, 2022
@jagpreetsinghsasan
Copy link
Contributor

Can we fix it by having a specified time delay in-between requests instead of limiting the range?

@petermetz
Copy link
Contributor Author

Can we fix it by having a specified time delay in-between requests instead of limiting the range?

@jagpreetsinghsasan A rate-limiter would be a partial solution because it can be defeated. For example if it rate limits based on IP address then one can use a set of proxies to avoid it entirely. With that said, everything else is also just a partial solution because nothing eliminate the possibility of DoS completely. It is a cat and mouse game that has to be played forever.

Layering defenses is almost always a good idea, so IMO the strongest protection would be to do both.

@jagpreetsinghsasan
Copy link
Contributor

Thanks @petermetz for descriptive reasoning. And I agree 100% with the fact that, layering the security measures is the best way out.

@aldousalvarez
Copy link
Contributor

Hello @petermetz Can you assign me on this one? Thanks

@petermetz
Copy link
Contributor Author

Hello @petermetz Can you assign me on this one? Thanks

@aldousalvarez Done, than kyou!

@petermetz
Copy link
Contributor Author

BLOCKER/ISSUE: packages/cactus-plugin-ledger-connector-quorum/src/main/typescript/plugin-ledger-connector-quorum.ts - this file doesnt have any consistencyStrategy imports or usage.

@aldousalvarez My bad, packages/cactus-plugin-ledger-connector-quorum/src/main/typescript/plugin-ledger-connector-quorum.ts can be skipped.

aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue May 23, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue May 23, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue May 24, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue May 26, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
petermetz pushed a commit to aldousalvarez/cactus that referenced this issue Jun 1, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
petermetz pushed a commit to aldousalvarez/cactus that referenced this issue Jun 2, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jul 12, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jul 12, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jul 13, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jul 13, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jul 14, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jul 14, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
aldousalvarez added a commit to aldousalvarez/cactus that referenced this issue Jul 15, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
petermetz pushed a commit to aldousalvarez/cactus that referenced this issue Jul 16, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
petermetz pushed a commit to aldousalvarez/cactus that referenced this issue Jul 16, 2022
Fixes hyperledger-cacti#2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
petermetz pushed a commit that referenced this issue Jul 16, 2022
Fixes #2001

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Besu Breaking_V2 Changes that can only be made with the release of v3.0.0 due to them being breaking changes. bug Something isn't working P2 Priority 2: High Quorum Security Related to existing or potential security vulnerabilities Xdai Tasks/bugs related to the Xdai network and the corresponding ledger connector plugin in Cactus
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants