Discover how CVE-2021-21271 in Tendermint Core 0.34.0 to 0.34.2 enables denial of service attacks. Learn about the impact, technical details, and mitigation steps.
Tendermint Core version 0.34.0 to 0.34.2 is affected by a vulnerability that allows DoS attacks through double signs. The release of version 0.34.3 addresses this issue by changing the way DuplicateVoteEvidence is handled.
Understanding CVE-2021-21271
This CVE involves a vulnerability in Tendermint Core that could be exploited for DoS attacks in versions 0.34.0 to 0.34.2.
What is CVE-2021-21271?
CVE-2021-21271 is a security vulnerability in Tendermint Core that enables Denial of Service (DoS) attacks due to inconsistencies in forming DuplicateVoteEvidence in versions 0.34.0 to 0.34.2.
The Impact of CVE-2021-21271
The vulnerability allows malicious actors to disrupt the network by triggering double signs, potentially causing nodes to disconnect or propose invalid evidence, affecting network stability.
Technical Details of CVE-2021-21271
The vulnerability is rated with a CVSS v3.1 base score of 6.5 (Medium severity) with a network-based attack vector and high availability impact. It is classified under CWE-400 (Uncontrolled Resource Consumption).
Vulnerability Description
Tendermint Core versions 0.34.0 to 0.34.2 mishandle the formation of DuplicateVoteEvidence, leading to inconsistent timestamps and the potential for DoS attacks through double signs.
Affected Systems and Versions
The vulnerability impacts Tendermint Core versions 0.34.0 to 0.34.2.
Exploitation Mechanism
By forming DuplicateVoteEvidence with different timestamps, attackers can exploit the inconsistency to cause disruption, leading to DoS attacks.
Mitigation and Prevention
To mitigate the CVE-2021-21271 vulnerability, users are recommended to update their Tendermint Core installations to version 0.34.3.
Immediate Steps to Take
Upgrade to Tendermint Core version 0.34.3 to prevent DoS attacks leveraging this vulnerability.
Long-Term Security Practices
Regularly update to the latest versions of Tendermint Core to patch known security issues and protect the network.
Patching and Updates
Stay informed about security releases and apply patches promptly to maintain a secure deployment.