PT-2022-16861 · Chainsafe · @Chainsafe/Libp2P-Noise

Highwemeetagain

Published

2022-03-17

Updated

2022-03-23

CVE-2022-24759

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions @chainsafe/libp2p-noise versions prior to 4.1.2 @chainsafe/libp2p-noise versions prior to 5.0.3

Description The issue is related to the incorrect validation of signatures during the handshake process in the noise protocol implementation. This may allow a man-in-the-middle to pose as other peers and get those peers banned.

Recommendations For versions prior to 4.1.2, upgrade to version 4.1.2 to receive a patch. For versions prior to 5.0.3, upgrade to version 5.0.3 to receive a patch. As a temporary workaround, consider restricting access to the handshake process until a patch is available.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

CVE-2022-24759

GHSA-J3FF-XP6C-6GCC

Affected Products

@Chainsafe/Libp2P-Noise

PT-2022-16861 · Chainsafe · @Chainsafe/Libp2P-Noise

CVE-2022-24759

Weakness Enumeration

Related Identifiers

Affected Products

References · 9