libp2p nodes vulnerable to OOM attack

Overview

Source
ID
GHSA-gcq9-qqwx-rgj3
Aliases
CVE-2023-40583
GO-2023-2024

Description

### Summary In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash.

It is feasible to do this at scale. An attacker would have to transfer ~1/2 as much memory it wants to occupy (2x amplification factor).

The attacker can perform this attack over time as the target node’s memory will not be garbage collected.

This can occur because when a signed peer record is received, only the signature validity check is performed but the sender signature is not checked. Signed peer records from randomly generated peers can be sent by a malicious actor. A target node will accept the peer record as long as the signature is valid, and then stored in the peer store.

There is cleanup logic in the peer store that cleans up data when a peer disconnects, but this cleanup is never triggered for the fake peer (from which signed peer records were accepted) because it was never “connected”.

### Impact If users of go-libp2p in production are not monitoring memory consumption over time, it could be a silent attack i.e. the attacker could bring down nodes over a period of time (how long depends on the node resources i.e. a go-libp2p node on a virtual server with 4 gb of memory takes about 90 sec to bring down; on a larger server, it might take a bit longer.)

### Patches Update your go-libp2p dependency to the latest release, v0.30.0 at the time of writing.

If you'd like to stay on the 0.27.x release, we strongly recommend users to update to go-libp2p [0.27.7](https://github.com/libp2p/go-libp2p/releases/tag/v0.27.7). Though this OOM issue was fixed in 0.27.4, there were subsequent patch releases afterwards (important fixes for other issues unrelated to the OOM).

### Workarounds None

Summary

2.59k
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
324
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
0.20%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0, Fixed: 0.27.4
Patched/Unaffected
v0.27.4
v0.27.5
v0.27.6
v0.27.7
v0.27.8
v0.27.9
v0.28.0
v0.28.1
v0.28.2
v0.28.3
v0.29.0
v0.29.1
v0.29.2
v0.30.0
v0.30.1
v0.31.0
v0.31.1
v0.32.0
v0.32.1
v0.32.2
v0.33.0
v0.33.1
v0.33.2
v0.34.0
v0.34.1
v0.35.0
v0.35.1
v0.35.2
v0.35.3
v0.35.4
v0.35.5
v0.36.0
v0.36.1
v0.36.2
v0.36.3
v0.36.4
v0.36.5
v0.37.0
v0.37.1
v0.37.2
v0.38.0
v0.38.1
Affected
v0.27.3
v0.27.2
v0.27.1
v0.27.0
v0.26.4
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.1
v0.25.0
v0.24.2
v0.24.1
v0.24.0
v0.23.4
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.3
v0.20.2
v0.20.1
v0.20.0
v0.19.4
v0.19.3
v0.19.2
v0.19.1
v0.19.0
v0.18.1
v0.18.0
v0.17.0
v0.16.0
v0.15.1
v0.15.0
v0.14.4
v0.14.3
v0.14.2
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.3
v0.10.2
v0.10.1
v0.10.0
v0.9.6
v0.9.5
v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.3
v0.8.2
v0.8.1
v0.8.0
v0.7.4
v0.7.3
v0.7.2
v0.7.1
v0.7.0
v0.6.1
v0.6.0
v0.5.2
v0.5.1
v0.5.0
v0.4.2
v0.4.1
v0.4.0
v0.3.1
v0.3.0
v0.2.1
v0.2.0
v0.1.2
v0.1.1
v0.1.0
v0.0.32
v0.0.31
v0.0.30
v0.0.29
v0.0.28
v0.0.27
v0.0.26
v0.0.25
v0.0.24
v0.0.23
v0.0.22
v0.0.21
v0.0.20
v0.0.19
v0.0.18
v0.0.17
v0.0.16
v0.0.15
v0.0.14
v0.0.13
v0.0.12
v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1