CVE-2024-38359

The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning Network node. A parsing vulnerability in lnd's onion processing logic and lead to a DoS vector due to excessive memory allocation. The issue was patched in lnd v0.17.0. Users should update to a version > v0.17.0 to be protected. Users unable to upgrade may set the `--rejecthtlc` CLI flag and also disable forwarding on channels via the `UpdateChanPolicyCommand`, or disable listening on a public network interface via the `--nolisten` flag as a mitigation.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979
https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta
https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7
https://lightning.network
https://morehouse.github.io/lightning/lnd-onion-bomb
https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979
https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta
https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7
https://lightning.network
https://morehouse.github.io/lightning/lnd-onion-bomb

Configurations

No configuration.

History

21 Nov 2024, 09:25

Type	Values Removed	Values Added
Summary		(es) Lightning Network Daemon (lnd): es una implementación completa de un nodo Lightning Network. Una vulnerabilidad de análisis en la lógica de procesamiento de cebolla de lnd y conduce a un vector DoS debido a una asignación excesiva de memoria. El problema se solucionó en lnd v0.17.0. Los usuarios deben actualizar a una versión > v0.17.0 para estar protegidos. Los usuarios que no puedan actualizar pueden configurar el indicador CLI `--rejecthtlc` y también deshabilitar el reenvío de canales a través de `UpdateChanPolicyCommand`, o desactivar la escucha en una interfaz de red pública a través del indicador `--nolisten` como mitigación.
References	~~() https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979 -~~	() https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979 -
References	~~() https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta -~~	() https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta -
References	~~() https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7 -~~	() https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7 -
References	~~() https://lightning.network -~~	() https://lightning.network -
References	~~() https://morehouse.github.io/lightning/lnd-onion-bomb -~~	() https://morehouse.github.io/lightning/lnd-onion-bomb -

20 Jun 2024, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-20 23:15

Updated : 2024-11-21 09:25

NVD link : CVE-2024-38359

Mitre link : CVE-2024-38359

CVE.ORG link : CVE-2024-38359

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

6.5 /10