7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
43.4%
A malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in the core/crypto module of go-libp2p and can occur during the Noise handshake and the libp2p x509 extension verification step.
To prevent this attack, go-libp2p now restricts RSA keys to <= 8192 bits.
Users should upgrade their go-libp2p versions to >=v0.27.8, >= v0.28.2, or >=v0.29.1
To protect your application, it’s necessary to update to these patch releases AND to use the updated Go compiler (1.20.7 or 1.19.12, respectively)
There are no known workarounds
The Golang crypto/tls package also had this vulnerability ("verifying certificate chains containing large RSA keys is slow” https://github.com/golang/go/issues/61460)
Fix in golang/go crypto/tls: https://github.com/golang/go/commit/2350afd2e8ab054390e284c95d5b089c142db017
Fix in quic-go https://github.com/quic-go/quic-go/pull/4012
CPE | Name | Operator | Version |
---|---|---|---|
github.com/libp2p/go-libp2p | eq | 0.29.0 | |
github.com/libp2p/go-libp2p | lt | 0.28.2 | |
github.com/libp2p/go-libp2p | lt | 0.27.8 |
github.com/advisories/GHSA-876p-8259-xjgg
github.com/golang/go/commit/2350afd2e8ab054390e284c95d5b089c142db017
github.com/golang/go/issues/61460
github.com/libp2p/go-libp2p/commit/0cce607219f3710addc7e18672cffd1f1d912fbb
github.com/libp2p/go-libp2p/commit/445be526aea4ee0b1fa5388aa65d32b2816d3a00
github.com/libp2p/go-libp2p/commit/e30fcf7dfd4715ed89a5e68d7a4f774d3b9aa92d
github.com/libp2p/go-libp2p/pull/2454
github.com/libp2p/go-libp2p/security/advisories/GHSA-876p-8259-xjgg
github.com/quic-go/quic-go/pull/4012
go.dev/issue/61460
nvd.nist.gov/vuln/detail/CVE-2023-39533
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
43.4%