Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2021-41135
CVE-2021-41135:
vulnerability analysis and mitigation
Overview
The Cosmos-SDK, a framework for building blockchain applications in Golang, was affected by a high-severity vulnerability (CVE-2021-41135) in versions 0.43.x and 0.44.{0,1}. The vulnerability was discovered by the Provenance team on October 8, 2021, and a security patch was released in version 0.44.2 on October 12, 2021. The vulnerability was related to non-deterministic behavior in the ValidateBasic method of the x/authz module (Cosmos Forum).
Technical details
The vulnerability stemmed from the MsgGrant of the x/authz module, which contains a Grant field with a user-defined expiration time. In Grant.ValidateBasic(), the expiration time was compared against the node's local clock time, introducing non-deterministic behavior since local clock times are subjective. The correct implementation should have used the timestamp from the Block header instead, which provides a Byzantine Fault Tolerant clock agreed upon by consensus (Cosmos Forum).
Impact
Any chain running an affected version of the SDK with the authz module enabled could be halted by anyone with the ability to send transactions on that chain. An attacker could craft multiple Grants with different but close expiration times, potentially causing some nodes to consider a grant expired while others wouldn't, leading to a consensus halt. Recovery would require applying the patch and rolling back the latest block. Notably, the Cosmos Hub was not affected by this vulnerability (Cosmos Forum).
Mitigation and workarounds
The vulnerability was addressed in version 0.44.2 of the Cosmos-SDK by removing the problematic check in ValidateBasic completely. The development team indicated that in a future release, the check may be reintroduced using the Block timestamp instead of the node's local time to restore the extra defensive measure (Cosmos Forum).
Community reactions
The Cosmos team followed their vulnerability disclosure policy by providing pre-notification 24 hours before publishing the public advisory. They proactively reached out to partners using impacted versions of Cosmos-SDK and posted notifications on the Cosmos forum and dedicated mailing lists. The timing of the patch release was specifically chosen to accommodate partners and community members across different time zones (Cosmos Forum).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management