GoogleOSV:GHSA-XQQC-C5GW-C5R5Tendermint light client verification not taking into account chain ID
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS
Percentile
31.5%
Impact
Anyone using the tendermint-light-client and related packages to perform light client verification (e.g. IBC-rs, Hermes).
At present, the light client does not check that the chain IDs of the trusted and untrusted headers match, resulting in a possible attack vector where someone who finds a header from an untrusted chain that satisfies all other verification conditions (e.g. enough overlapping validator signatures) could fool a light client.
The attack vector is currently theoretical, and no proof-of-concept exists yet to exploit it on live networks.
Patches
Users of the light client-related crates can currently upgrade to v0.28.0.
Workarounds
None
References
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS
Percentile
31.5%