Lucene search

GitHub_MVULNRICHMENT:CVE-2024-38359

HistoryJun 20, 2024 - 10:16 p.m.

CVE-2024-38359 Lightning Network Daemon Onion Bomb

2024-06-2022:16:00

CWE-20

GitHub_M

github.com

lightning network

lnd

dos

memory allocation

vulnerability

parsing

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning Network node. A parsing vulnerability in lnd’s onion processing logic and lead to a DoS vector due to excessive memory allocation. The issue was patched in lnd v0.17.0. Users should update to a version > v0.17.0 to be protected. Users unable to upgrade may set the --rejecthtlc CLI flag and also disable forwarding on channels via the UpdateChanPolicyCommand, or disable listening on a public network interface via the --nolisten flag as a mitigation.

CNA Affected

[
  {
    "vendor": "lightningnetwork",
    "product": "lnd",
    "versions": [
      {
        "version": "< 0.17.0",
        "status": "affected"
      }
    ]
  }
]

References

delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979

github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta

github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7

lightning.network

morehouse.github.io/lightning/lnd-onion-bomb

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for VULNRICHMENT:CVE-2024-38359