Lucene search

GoogleOSV:GHSA-9GXX-58Q6-42P7

HistoryJun 20, 2024 - 7:18 p.m.

Lightning Network Daemon (LND)'s onion processing logic leads to a denial of service

2024-06-2019:18:25

Google

osv.dev

vulnerability

memory allocation

patches

update

blog post

developer discussion

logic

lightning network

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Impact

A parsing vulnerability in lnd’s onion processing logic led to a DoS vector due to excessive memory allocation.

Patches

The issue was patched in lnd v0.17.0. Users should update to a version >= v0.17.0 to be protected.

References

Detailed blog post: https://morehouse.github.io/lightning/lnd-onion-bomb/

Developer discussion: https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979

CPENameOperatorVersion
github.com/lightningnetwork/lndlt0.17.0-beta

CPE	Name	Operator	Version
	github.com/lightningnetwork/lnd	lt	0.17.0-beta

References

delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979

github.com/lightningnetwork/lnd

github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta

github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7

lightning.network

morehouse.github.io/lightning/lnd-onion-bomb

nvd.nist.gov/vuln/detail/CVE-2024-38359

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for OSV:GHSA-9GXX-58Q6-42P7