Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Lightning-dev] CVE-2020-26895: LND Low-S Tx-Relay Standardness #21

Open
neocarmack opened this issue Nov 9, 2020 · 0 comments
Open

[Lightning-dev] CVE-2020-26895: LND Low-S Tx-Relay Standardness #21

neocarmack opened this issue Nov 9, 2020 · 0 comments
Assignees
@iamgamelover @neocarmack
Labels
vulnerability something gets attack

Comments

@neocarmack
Copy link
Member

neocarmack commented Nov 9, 2020
edited
Loading

Background

CVE-2020-26895 was fully disclosed on Oct 20, 2020.

LND v0.10.0-beta, released on April 29,2020, fixed this vulnerability.

Description of vulnerability

High S signature causes signature malleability related to ECDSA signature encoding . To fix signature malleability, Low S signature is propsed in BIP-0146, and high s signature are no longer accepted by btccore.

Affected Component

OBD core, client sdk

Platform

All

Proof-of-concept

CVE-2020-26895 fully disclosed this vunerability.

Vulnerability reproduction output

N/A

Fix

To OBD node, If a signature from client passing to ECDSA verification does not pass the Low S value check and is not an empty byte array, the entire script evaluates to false immediately. OBD shall reject this signature.

Reference

BIP-0146
CVE-2020-26895
Low S signature to fix
@neocarmack neocarmack added the vulnerability something gets attack label Nov 9, 2020
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@iamgamelover iamgamelover

@neocarmack neocarmack

Labels
vulnerability something gets attack
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iamgamelover @neocarmack