{ "schema_version": "1.4.0", "id": "GHSA-r3r4-g7hq-pq4f", "modified": "2025-02-05T16:34:57Z", "published": "2025-02-03T16:48:59Z", "aliases": [], "summary": "CometBFT allows a malicious peer to stall the network by disseminating seemingly valid block parts", "details": "Name: ASA-2025-002: Malicious peer can stall network by disseminating seemingly valid block parts\nComponent: CometBFT\nCriticality: High (Catastrophic Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: <= v0.38.16, v1.0.0\nAffected users: Validators, Full nodes, Users\n\n### Description\n\nA bug was identified in the CometBFT validation of block part indices and the corresponding proof part indices that can lead to incorrect processing and dissemination of invalid parts, which in turn could lead to a network halt. Additional validation was added to prevent this condition from happening.\n\n### Patches\n\nThe new CometBFT releases [v1.0.1](https://github.com/cometbft/cometbft/releases/tag/v1.0.1) and [v0.38.17](https://github.com/cometbft/cometbft/releases/tag/v0.38.17) fix this issue.\n\nUnreleased code in the main branch is patched as well.\n\n### Workarounds\n\nThere are no known workarounds for this issue. If a node is producing these malicious proofs, the only mitigation is to upgrade CometBFT. After upgrading, the validators then will eventually conclude the correct value.\n\n### Technical Deep-Dive\n\nWhen the next proposer creates a block, it is split into many block parts (64kB each). Each block part is then disseminated via p2p layer in a gossip fashion. The block part contains the following fields:\n\n```go\ntype Part struct {\n\tIndex uint32 `json:\"index\"`\n\tBytes cmtbytes.HexBytes `json:\"bytes\"`\n\tProof merkle.Proof `json:\"proof\"`\n}\n```\n\n- `Index` - represents the index of a block part\n- `Bytes` - the actual content\n- `Proof` - Merkle proof, which allows the receiving node to quickly verify that a `Part` is indeed a piece of the proposed block.\n\nThe `Proof` contains the following fields:\n\n```go\ntype Proof struct {\n\tTotal int64 `json:\"total\"` // Total number of items.\n\tIndex int64 `json:\"index\"` // Index of item to prove.\n\tLeafHash []byte `json:\"leaf_hash\"` // Hash of item value.\n\tAunts [][]byte `json:\"aunts,omitempty\"` // Hashes from leaf's sibling to a root's child.\n}\n```\n\nNote that the total number of leaves in the Merkle tree equals the number of parts in the proposed block. Previously, CometBFT did not validate the `Index` field and specifically that `Part.Index` must be equal to `Part.Proof.Index`. This leads to a condition where, it is possible to use the proof from a different part and CometBFT accept it, even though the proof proves the different part is a piece of the proposed block and not the part that the peer actually sent to us.\n\nThis condition is problematic because: \n\n1. it would disseminate the invalid block part to its neighboring nodes (because it deemed it as correct)\n2. it would mark the block part as received and ask the neighboring nodes not to relay it in the future, making it impossible to receive the correct block part.\n\nTo address this, CometBFT was patched to verify that `Part.Index` is equal to `Part.Proof.Index`, preventing the above condition.\n\n### Timeline\n\n* January 15, 2025, 12:12pm PST: Issue reported to the Cosmos Bug Bounty program\n* January 15, 2025, 12:31pm PST: Issue triaged by Amulet on-call, and distributed to Core team\n* January 27, 2025, 11:28pm PST: Core team completes validation of issue\n* January 31, 2024, 2:15pm PST: Pre-notification delivered\n* February 3rd, 2024, 9:00am UTC+4: Patch made available\n\nThis issue was reported by [unknown_feature](https://github.com/unknownfeature) to the Cosmos Bug Bounty Program on HackerOne on January 15, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security. \n\nA Github Security Advisory for this issue is available in the CometBFT [repository](https://github.com/cometbft/cometbft/security/advisories/GHSA-r3r4-g7hq-pq4f). For more information about CometBFT, see https://docs.cometbft.com/.", "severity": [], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/cometbft/cometbft" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0.0-alpha.1" }, { "fixed": "1.0.1" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/cometbft/cometbft" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.38.17" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/cometbft/cometbft/security/advisories/GHSA-r3r4-g7hq-pq4f" }, { "type": "WEB", "url": "https://github.com/cometbft/cometbft/commit/415c0da223bb7694608913f725fa45bd7a7a46bf" }, { "type": "WEB", "url": "https://github.com/cometbft/cometbft/commit/f943aabc7b9201ea1089ff3381479929435ce424" }, { "type": "PACKAGE", "url": "https://github.com/cometbft/cometbft" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2025-3443" } ], "database_specific": { "cwe_ids": [ "CWE-345" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-02-03T16:48:59Z", "nvd_published_at": null } }