Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

CVE-2021-21405 : What You Need to Know

Learn about CVE-2021-21405 affecting Lotus, an Implementation of the Filecoin protocol. Understand the BLS signature malleability vulnerability, its impact, affected systems, and mitigation steps.

Lotus, an Implementation of the Filecoin protocol, is vulnerable to a BLS signature malleability issue. This vulnerability could allow malicious actors to exploit the uniqueness check on provided blocks, potentially leading to the punishment of miners for valid blocks. By switching to specific code paths, this issue can be mitigated.

Understanding CVE-2021-21405

This section dives into the details of the BLS signature malleability vulnerability in Lotus.

What is CVE-2021-21405?

Lotus, a Go-based Implementation of the Filecoin protocol, is susceptible to a BLS signature malleability flaw. The issue stems from how Lotus handles BLS signature validation, which could result in punishing miners for valid blocks.

The Impact of CVE-2021-21405

The CVSS v3.1 base score for CVE-2021-21405 is 5.9, categorizing it as a medium severity vulnerability. The vulnerability has a high impact on integrity, affecting network-connected systems.

Technical Details of CVE-2021-21405

In this section, we explore the technical aspects of the vulnerability in Lotus.

Vulnerability Description

Lotus employs the blst library method VerifyCompressed for BLS signature validation. The method allows signatures in two unique forms, leading to the possibility of distinct but valid block CIDs, potentially impacting miners.

Affected Systems and Versions

Lotus versions prior to 1.5.0 are affected by this vulnerability. Users operating on these versions are encouraged to upgrade to a patched release.

Exploitation Mechanism

Malicious actors can exploit the BLS signature malleability issue by providing two valid block CIDs due to discrepancies in signature serialization, impacting block validation.

Mitigation and Prevention

To address CVE-2021-21405, immediate actions and long-term security practices are recommended.

Immediate Steps to Take

Users should update Lotus to version 1.5.0 or above to mitigate the BLS signature malleability vulnerability. Additionally, monitoring for unusual block validation patterns can help detect potential attacks.

Long-Term Security Practices

Implementing secure coding practices, conducting regular security audits, and staying informed about protocol updates can enhance the overall security posture of Lotus deployments.

Patching and Updates

Regularly updating Lotus to the latest versions, following security advisories, and applying patches promptly is crucial in addressing known vulnerabilities and enhancing system security.

Popular CVEs

CVE Id

Published Date

Is your System Free of Underlying Vulnerabilities?
Find Out Now