Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-876P-8259-XJGG
HistoryAug 09, 2023 - 1:18 p.m.

libp2p nodes vulnerable to attack using large RSA keys

2023-08-0913:18:18
CWE-770
GitHub Advisory Database
github.com
17
rsa keys
resource exhaustion
attack
verification
go-libp2p
patch
golang
quic-go

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

44.0%

JSON

Impact

A malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in the core/crypto module of go-libp2p and can occur during the Noise handshake and the libp2p x509 extension verification step.
To prevent this attack, go-libp2p now restricts RSA keys to <= 8192 bits.

Patches

Users should upgrade their go-libp2p versions to >=v0.27.8, >= v0.28.2, or >=v0.29.1
To protect your application, it’s necessary to update to these patch releases AND to use the updated Go compiler (1.20.7 or 1.19.12, respectively)

Workarounds

There are no known workarounds

References

The Golang crypto/tls package also had this vulnerability ("verifying certificate chains containing large RSA keys is slow” https://github.com/golang/go/issues/61460)
Fix in golang/go crypto/tls: https://github.com/golang/go/commit/2350afd2e8ab054390e284c95d5b089c142db017
Fix in quic-go https://github.com/quic-go/quic-go/pull/4012

Affected configurations

Vulners
Node
github.com\/libp2p\/golibp2pMatch0.29.0
OR
github.com\/libp2p\/golibp2pRange<0.28.2
OR
github.com\/libp2p\/golibp2pRange<0.27.8

Related

cve 1
osv 3
nvd 1
prion 1
redhatcve 1
cbl_mariner 3
veracode 1
cvelist 1
ibm 9
cve
cve
CVE-2023-39533
2023-08-08 19:15:10
osv
osv
CVE-2023-39533
2023-08-08 19:15:10
Large RSA keys can cause high resource usage in github.com/libp2p/go-libp2p
2023-08-08 23:49:18
libp2p nodes vulnerable to attack using large RSA keys
2023-08-09 13:18:18
nvd
nvd
CVE-2023-39533
2023-08-08 19:15:10
prion
prion
Design/Logic Flaw
2023-08-08 19:15:00
redhatcve
redhatcve
CVE-2023-39533
2023-10-04 14:25:32
cbl_mariner
cbl_mariner
CVE-2023-39533 affecting package golang for versions less than 1.19.12-1
2024-07-05 21:08:33
CVE-2023-39533 affecting package msft-golang for versions less than 1.19.12-1
2024-07-05 21:08:40
CVE-2023-39533 affecting package golang for versions less than 1.19.12-1
2024-07-05 21:08:40
veracode
veracode
Denial Of Service (DoS)
2023-08-10 09:03:08
cvelist
cvelist
CVE-2023-39533 libp2p nodes vulnerable to attack using large RSA keys
2023-08-08 18:50:05
ibm
ibm
Security Bulletin: Multiple security vulnerabilities in Go may affect IBM Robotic Process Automation for Cloud Pak
2023-11-03 14:26:27
Security Bulletin: IBM Cloud Pak for Data Scheduling binaries were built with a go compiler with vulnerabilities( CVE-2023-39318, CVE-2023-39319, CVE-2023-39533 )
2023-12-06 16:00:08
Security Bulletin: IBM Observability with Instana is affected by multiple vulnerabilities
2024-01-31 11:30:26

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

44.0%

JSON
Related for GHSA-876P-8259-XJGG
cve1osv3nvd1prion1redhatcve1cbl_mariner3veracode1cvelist1ibm9