CVE-2024-38359 Lightning Network Daemon Onion Bomb

2024-06-2022:16:00

CWE-20

GitHub_M

www.cve.org

cve-2024-38359

lightning network daemon

parsing vulnerability

lnd v0.17.0

dos vector

excessive memory allocation

cli flag

updatechanpolicycommand

mitigatio

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

15.7%

JSON

The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning Network node. A parsing vulnerability in lnd’s onion processing logic and lead to a DoS vector due to excessive memory allocation. The issue was patched in lnd v0.17.0. Users should update to a version > v0.17.0 to be protected. Users unable to upgrade may set the --rejecthtlc CLI flag and also disable forwarding on channels via the UpdateChanPolicyCommand, or disable listening on a public network interface via the --nolisten flag as a mitigation.

CNA Affected

[
  {
    "vendor": "lightningnetwork",
    "product": "lnd",
    "versions": [
      {
        "version": "< 0.17.0",
        "status": "affected"
      }
    ]
  }
]