ismp-grandpa crate accepted incorrect signatures

Description

A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers.

Description

The vulnerability manifests as a verifer that only accepts incorrect signatures of Grandpa precommits and was introduced in this specific commit. Perhaps due to unfamiliarity with core substrate APIs. The if statement should have included a negation check, similar to the previous code, but this was omitted. Causing the verifier to only accept invalid signatures.

This vulnerability remained undetected even with integration tests, as the prover was also misconfigured to initialize the Grandpa verifier with the incorrect authority set_id. This causes verification of honest precommit signatures to fail as the message is now malformed, but the verifier indeed only accepts signatures or messages that fail the verification check.

But even more devastatingly, the verifier will also accept malicious GRANDPA signatures for any precommit message.

This vulnerability has been fixed in this commit and a patch release has been published.

Impact

This could be used to steal funds or compromise other kinds of cross-chain applications.

Patches

This vulnerability has been fixed in the latest version of ismp-granpda v15.0.1

Recommendations

Users who rely on the compromised versions must upgrade immediately, as all vulnerable versions of the crate has been yanked.

Basic information

Type
reviewed
Severity
critical
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-01-28 17:29:17 UTC
Updated
2025-01-28 20:15:50 UTC
GitHub reviewed
2025-01-28 17:29:17 UTC
NVD published
2025-01-28

EPSS Score

Score Percentile
0.08% 23.01%

CVSS Scores

Base score Version Severity Vector
9.3 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-347 Improper Verification of Cryptographic Signature

Affected packages (3)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
rust ismp-grandpa < 15.0.1 15.0.1
rust grandpa-verifier-primitives < 0.1.2 0.1.2
rust grandpa-verifier < 0.1.2 0.1.2

References

cvelogic Threat Intelligence