CVE-2023-6245 Infinite decoding loop through specially crafted payload

2023-12-0814:26:09

CWE-835

CWE-20

CWE-1288

CWE-168

Dfinity

www.cve.org

cve-2023-6245

candid library

infinite decoding loop

denial of service

canister interface

rust candid decoder

recoverable error

affected versions

indefinite execution

degraded performance

payload

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

31.9%

JSON

The Candid library causes a Denial of Service while
parsing a specially crafted payload with ‘empty’ data type. For example,
if the payload is record { * ; empty } and the canister interface expects record { * } then the Rust candid decoder treats empty as an extra field required by the type. The problem with the type empty is that the candid Rust library wrongly categorizes empty as a recoverable error when skipping the field and thus causing an infinite decoding loop.

Canisters using affected versions of candid
are exposed to denial of service by causing the decoding to run
indefinitely until the canister traps due to reaching maximum
instruction limit per execution round. Repeated exposure to the payload
will result in degraded performance of the canister. Note: Canisters written in Motoko are unaffected.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Candid",
    "repo": "https://github.com/dfinity/candid",
    "vendor": "Internet Computer",
    "versions": [
      {
        "lessThan": "0.9.10",
        "status": "affected",
        "version": "0.9.0",
        "versionType": "0.0.0"
      }
    ]
  }
]