Ubuntu.comUB:CVE-2023-6245CVE-2023-6245
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
49.6%
The Candid library causes a Denial of Service while parsing a specially
crafted payload with ‘empty’ data type. For example, if the payload is
record { * ; empty } and the canister interface expects record { * }
then the Rust candid decoder treats empty as an extra field required by the
type. The problem with the type empty is that the candid Rust library
wrongly categorizes empty as a recoverable error when skipping the field
and thus causing an infinite decoding loop. Canisters using affected
versions of candid are exposed to denial of service by causing the decoding
to run indefinitely until the canister traps due to reaching maximum
instruction limit per execution round. Repeated exposure to the payload
will result in degraded performance of the canister. Note: Canisters
written in Motoko are unaffected.
References
github.com/dfinity/candid/blob/master/spec/Candid.md
github.com/dfinity/candid/pull/478
github.com/dfinity/candid/security/advisories/GHSA-7787-p7x6-fq3j
internetcomputer.org/docs/current/references/candid-ref
internetcomputer.org/docs/current/references/ic-interface-spec
launchpad.net/bugs/cve/CVE-2023-6245
nvd.nist.gov/vuln/detail/CVE-2023-6245
security-tracker.debian.org/tracker/CVE-2023-6245
www.cve.org/CVERecord?id=CVE-2023-6245
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
49.6%