Skip to content

Light client verification not taking into account chain ID

Moderate
thanethomson published GHSA-xqqc-c5gw-c5r5 Dec 14, 2022

Package

cargo tendermint-light-client (Rust)

Affected versions

<= 0.27.0

Patched versions

0.28.0-pre.1, 0.28.0
cargo tendermint-light-client-js (Rust)
<= 0.27.0
0.28.0-pre.1, 0.28.0
cargo tendermint-light-client-verifier (Rust)
<= 0.27.0
0.28.0-pre.1, 0.28.0

Description

Impact

Anyone using the tendermint-light-client and related packages to perform light client verification (e.g. IBC-rs, Hermes).

At present, the light client does not check that the chain IDs of the trusted and untrusted headers match, resulting in a possible attack vector where someone who finds a header from an untrusted chain that satisfies all other verification conditions (e.g. enough overlapping validator signatures) could fool a light client.

The attack vector is currently theoretical, and no proof-of-concept exists yet to exploit it on live networks.

Patches

Users of the light client-related crates can currently upgrade to v0.28.0.

Workarounds

None

References

Severity

Moderate
5.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CVE ID

CVE-2022-23507

Weaknesses

No CWEs

Credits