CWA-2024-009
Severity
Low (Marginal + Likely)1
Affected versions:
Patched versions:
- wasmd 0.53.2 (please note that wasmd 0.53.1 is broken and must not be used)
Description of the bug
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
Mitigations
Apart from upgrading, it is recommended to not open the gRPC and REST APIs of validator nodes to the public internet. Use isolated and resource-constrained environments for running separate public RPC nodes instead.
These can then easily be thrown away and replaced with new instances in case of problems.
Applying the patch
Official Wasmd patch
The patch will be shipped in a wasmd release. You will also have to update libwasmvm
if you build statically.
If you already use the latest / close to latest wasmd, you can update more or less as follows:
- Check the current wasmd version:
go list -m github.com/CosmWasm/wasmd
- Bump the
github.com/CosmWasm/wasmd
dependency in your go.mod to 0.53.2 (Cosmos SDK 0.50 compatible); go mod tidy
; commit.
- If you use the static libraries
libwasmvm_muslc.aarch64.a
/libwasmvm_muslc.x86_64.a
, make sure that you use the same version as your wasmvm version.
- Check the updated wasmd version:
go list -m github.com/CosmWasm/wasmd
and ensure you see 0.53.2.
- Follow your regular practices to deploy chain upgrades.
To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version
. It must show 2.1.4.
The patch is not consensus breaking if you are already using wasmvm 2.1.3.
If you are instead using wasmvm 2.1.2, then upgrading to 2.1.4 includes the consensus breaking changes of 2.1.3.
DIY Patch
If you are unable to upgrade to the latest version, you can backport the wasmd patch to your version. The patch is available at Wasmd 0.53.2.
However, if you are on an older version of wasmd, you will also be using a different version of wasmvm. We provide the required patches for wasmvm in versions 2.1.4, 2.0.5, 1.5.6.
To upgrade using this method:
- Check the current wasmvm version:
go list -m github.com/CosmWasm/wasmvm
and upgrade
to the closest patched version.
- Bump the github.com/CosmWasm/wasmvm dependency in your go.mod to the closest compatible patched version (either 2.1.4, 2.0.5 or 1.5.6); go mod tidy; commit.
- Apply the patch linked above to your version of wasmd.
- If you use the static libraries
libwasmvm_muslc.aarch64.a
/libwasmvm_muslc.x86_64.a
, make sure that you use the same version as your wasmvm version.
- Follow your regular practices to deploy chain upgrades.
To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version
. It must show 2.1.4, 2.0.5 or 1.5.6 and must be the same as the wasmvm version in your go.sum.
The patch is not consensus breaking as long as you were using the previous patch version of wasmvm before.
Acknowledgement
This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.
If you believe you have found a bug in the Interchain Stack or would like to contribute to the
program by reporting a bug, please see https://hackerone.com/cosmos.
Timeline
- 2024-09-25: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
- 2024-09-30: Confio security contributors confirm the report.
- 2024-11-21: Confio developed the patch internally.
- 2024-12-06: Patch release is pre-announced through notification lists.
- 2024-12-10: Patch released.
References
CWA-2024-009
Severity
Low (Marginal + Likely)1
Affected versions:
Patched versions:
Description of the bug
(Blank for now. We'll add more detail once chains had a chance to upgrade.)
Mitigations
Apart from upgrading, it is recommended to not open the gRPC and REST APIs of validator nodes to the public internet. Use isolated and resource-constrained environments for running separate public RPC nodes instead.
These can then easily be thrown away and replaced with new instances in case of problems.
Applying the patch
Official Wasmd patch
The patch will be shipped in a wasmd release. You will also have to update
libwasmvm
if you build statically.If you already use the latest / close to latest wasmd, you can update more or less as follows:
go list -m github.com/CosmWasm/wasmd
github.com/CosmWasm/wasmd
dependency in your go.mod to 0.53.2 (Cosmos SDK 0.50 compatible);go mod tidy
; commit.libwasmvm_muslc.aarch64.a
/libwasmvm_muslc.x86_64.a
, make sure that you use the same version as your wasmvm version.go list -m github.com/CosmWasm/wasmd
and ensure you see 0.53.2.To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version
. It must show 2.1.4.The patch is not consensus breaking if you are already using wasmvm 2.1.3.
If you are instead using wasmvm 2.1.2, then upgrading to 2.1.4 includes the consensus breaking changes of 2.1.3.
DIY Patch
If you are unable to upgrade to the latest version, you can backport the wasmd patch to your version. The patch is available at Wasmd 0.53.2.
However, if you are on an older version of wasmd, you will also be using a different version of wasmvm. We provide the required patches for wasmvm in versions 2.1.4, 2.0.5, 1.5.6.
To upgrade using this method:
go list -m github.com/CosmWasm/wasmvm
and upgradeto the closest patched version.
libwasmvm_muslc.aarch64.a
/libwasmvm_muslc.x86_64.a
, make sure that you use the same version as your wasmvm version.To double check if the correct library version is loaded at runtime, use this query:
<appd> query wasm libwasmvm-version
. It must show 2.1.4, 2.0.5 or 1.5.6 and must be the same as the wasmvm version in your go.sum.The patch is not consensus breaking as long as you were using the previous patch version of wasmvm before.
Acknowledgement
This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.
If you believe you have found a bug in the Interchain Stack or would like to contribute to the
program by reporting a bug, please see https://hackerone.com/cosmos.
Timeline
References
Footnotes
following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md ↩