CVE-2021-39167 : Vulnerability Insights and Analysis
OpenZepplin library for smart contract development faced a critical vulnerability. Learn about CVE-2021-39167 impact, mitigation steps, affected versions, and more.
OpenZepplin is a library for smart contract development with affected versions having a vulnerability in TimelockController allowing privilege escalation. Learn more details and mitigation steps here.
Understanding CVE-2021-39167
OpenZepplin library for smart contracts had a critical vulnerability in TimelockController, impacting specific versions.
What is CVE-2021-39167?
- Vulnerability in TimelockController allowed an actor with the executor role to escalate privileges.
- Disclosure of further details of the vulnerability is pending.
The Impact of CVE-2021-39167
- CVSS Score: 10 (Critical)
- Attack Vector: Network
- Attack Complexity: Low
- High impacts on Availability, Confidentiality, and Integrity
- Privileges Required: None
- Scope: Changed
- No user interaction required
Technical Details of CVE-2021-39167
The technical aspects surrounding the vulnerability in OpenZeppelin Contracts.
Vulnerability Description
- Improper Privilege Management (CWE-269)
- Escalation of privileges through the TimelockController
Affected Systems and Versions
- Affected Product: openzeppelin-contracts by OpenZeppelin
- Vulnerable Versions: >=4.0.0, < 4.3.1 AND >=3.3.0, < 3.4.2 AND >= 3.3.0-solc-0.7, < 3.4.2-solc-0.7
Exploitation Mechanism
- An actor with the executor role can exploit the vulnerability to escalate privileges.
Mitigation and Prevention
Steps to mitigate and prevent the vulnerabilities in OpenZeppelin Contracts.
Immediate Steps to Take
- Revoke executor role from accounts not strictly controlled by the team
- Ensure at least one executor and proposer remains
Long-Term Security Practices
- Regularly review and audit smart contracts
- Follow least privilege principle in assigning roles
Patching and Updates
- Update to versions not affected by the vulnerability