This issue affects earlier versions of Indy-Node server software where the `pool-upgrade` request handler could be exploited by an attacker to execute arbitrary code on the server. An attacker could exploit this vulnerability to gain control of the server and to carry out a range of attacks on the ledger. As a workaround, endorsers should not create DIDs for untrusted users. A vulnerable ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded.
Summary
Indy-Node server software versions earlier than 2.0.8 are affected by a vulnerability that allows an attacker to execute arbitrary code on the server. This vulnerability was discovered in Indy-Node server software version 2.0.8, and the update is available on our website at https://indy-nodecdn.com/downloads/INDY-NODE-2.0.8-Update_10AUG2017_2nd_SECURE_webpage.html
The vulnerability affects earlier versions of Indy-Node software where the `pool-upgrade` request handler could be exploited by an attacker to execute arbitrary code on the server. An attacker could exploit this vulnerability to gain control of the server and carry out a range of attacks on the ledger, such as hijacking sessions, forging signatures, and changing data streams between peers or groups of peers. As a workaround, endorsers should not create DIDs for untrusted users; however, if you have already set up a DID for a trusted user, then you should make sure it is not used until the network has been upgraded fully from version 2.0 to 3.0
Alert: Low-value transactions from external networks
If there is a limited number of endorsers on the ledger, a transaction may be created from an external network. This can lead to low-value transactions being broadcasted to the entire ledger, rather than a single endorser. A ledger should configure `auth_rules` to prevent new DIDs from being written to the ledger until the network can be upgraded.
Timeline
Published on: 09/06/2022 17:15:00 UTC
Last modified on: 09/13/2022 14:23:00 UTC