CVE-2020-15091 - OpenCVE

TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (**without changing chainID**). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tendermint	Tendermint

Configuration 1 [-]

cpe:2.3:a:tendermint:tendermint:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340
https://github.com/tendermint/tendermint/issues/4926
https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-07-02T17:05:15

Updated: 2024-08-04T13:08:21.884Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15091

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-07-02T17:15:12.547

Modified: 2020-07-08T19:16:14.410

Link: CVE-2020-15091

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "tendermint", "vendor": "tendermint", "versions": [{"status": "affected", "version": ">= 0.33.0, < 0.33.6"}]}], "descriptions": [{"lang": "en", "value": "TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (**without changing chainID**). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "{\"CWE-347\":\"Improper Verification of Cryptographic Signature\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-02T17:05:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tendermint/tendermint/issues/4926"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340"}], "source": {"advisory": "GHSA-6jqj-f58p-mrw3", "discovery": "UNKNOWN"}, "title": "Denial of Service in TenderMint", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15091", "STATE": "PUBLIC", "TITLE": "Denial of Service in TenderMint"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "tendermint", "version": {"version_data": [{"version_value": ">= 0.33.0, < 0.33.6"}]}}]}, "vendor_name": "tendermint"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (**without changing chainID**). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-347\":\"Improper Verification of Cryptographic Signature\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3", "refsource": "CONFIRM", "url": "https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3"}, {"name": "https://github.com/tendermint/tendermint/issues/4926", "refsource": "MISC", "url": "https://github.com/tendermint/tendermint/issues/4926"}, {"name": "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340", "refsource": "MISC", "url": "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340"}]}, "source": {"advisory": "GHSA-6jqj-f58p-mrw3", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:21.884Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tendermint/tendermint/issues/4926"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15091", "datePublished": "2020-07-02T17:05:15", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:21.884Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tendermint:tendermint:*:*:*:*:*:*:*:*", "matchCriteriaId": "48BDDFA1-3EF9-4F28-9686-41B9A2898B79", "versionEndExcluding": "0.33.6", "versionStartIncluding": "0.33.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (**without changing chainID**). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit."}, {"lang": "es", "value": "TenderMint desde versi\u00f3n 0.33.0 y anteriores a versi\u00f3n 0.33.6, permite a proponentes de bloque incluir firmas para el bloque equivocado. Esto puede suceder naturalmente si inicia una red, la hace funcionar durante un tiempo y la reinicia (**without changing chainID**). Un proponente de bloque malicioso (inclusive con una cantidad m\u00ednima de participaci\u00f3n) puede usar esta vulnerabilidad para detener completamente la red. Este problema es corregido en Tendermint versi\u00f3n 0.33.6, que comprueba que todas las firmas son para el bloque con una mayor\u00eda de 2/3+ antes de crear una confirmaci\u00f3n"}], "id": "CVE-2020-15091", "lastModified": "2020-07-08T19:16:14.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-07-02T17:15:12.547", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tendermint/tendermint/commit/480b995a31727593f58b361af979054d17d84340"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/tendermint/tendermint/issues/4926"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/tendermint/tendermint/security/advisories/GHSA-6jqj-f58p-mrw3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Secondary"}]}