Mitigation Strategies

The primary mitigation is to upgrade the network-libp2p library to version 1.4.0 or later, where the vulnerability has been patched.

The patch includes proper handling of verification failures and inconsistent DHT query states by aborting queries and cleaning up resources, preventing indefinite hangs.

Until the upgrade can be applied, monitoring for symptoms such as hanging DHT queries and restarting affected services may help reduce impact.

Useful 0 Not Useful 0

Executive Summary

The vulnerability exists in the network-libp2p library used by Nimiq, specifically in the handling of Distributed Hash Table (DHT) get-record queries. When a peer returns a FoundRecord, the record is verified. If verification fails, the query process exits early without properly cleaning up the query state or resolving the oneshot channel used by Network::dht_get. This causes the caller to hang indefinitely because it waits on a response that never arrives. The root cause is improper handling of exceptional conditions during the query process.

This flaw allows an untrusted peer to cause a denial-of-service (DoS) condition by wedging the DHT, making the querying node hang indefinitely.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition on nodes running the affected versions of the network-libp2p library. An attacker can remotely cause the node to hang indefinitely during DHT queries, impacting availability.

• No privileges or user interaction are required to exploit this vulnerability.
• The impact is limited to availability; confidentiality and integrity are not affected.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes the Network::dht_get caller future to hang indefinitely due to unresolved oneshot channels when a peer returns a FoundRecord that fails verification. Detection involves monitoring for hanging or stalled DHT GetRecord queries in the network-libp2p component of Nimiq.

Since the issue manifests as hanging asynchronous queries without timeout, you can detect it by observing processes or services that use network-libp2p for unusually long or stuck DHT queries.

Specific commands are not provided in the available resources, but general approaches include:

• Monitoring logs for repeated errors or warnings related to DHT query verification failures or inconsistent states.
• Using system tools like `strace` or `lsof` to detect processes stuck waiting on network-libp2p DHT queries.
• Checking for hanging futures or goroutines (if applicable) in the application logs or debugging output.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes a denial-of-service (DoS) condition by causing the Distributed Hash Table (DHT) query process to hang indefinitely, impacting availability but not confidentiality or integrity.

Since the vulnerability does not affect confidentiality or integrity of data, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

However, the availability impact could be relevant under standards that require system availability and resilience, but no specific compliance implications are detailed in the provided information.

Useful 0 Not Useful 0