CVE-2023-40583: 
vulnerability analysis and mitigation

CVE-2023-40583 affects go-libp2p, a networking stack and library modularized from The IPFS Project. The vulnerability was discovered and disclosed on August 25, 2023. The issue affects versions up to and including 0.27.3 of go-libp2p. This vulnerability allows malicious actors to store arbitrary amounts of data in a remote node's memory through signed peer records, potentially leading to system crashes (GitHub Advisory).

The vulnerability occurs because when a signed peer record is received, only the signature validity check is performed but the sender signature is not verified. This allows attackers to send signed peer records from randomly generated peers, which the target node accepts and stores in the peer store. While there is cleanup logic in the peer store that cleans up data when a peer disconnects, this cleanup is never triggered for fake peers as they were never actually connected. The vulnerability has a CVSS v3.1 score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability enables attackers to cause memory exhaustion with a 2x amplification factor, meaning they only need to transfer about half as much memory as they want to occupy on the target. Since the allocated memory doesn't get garbage collected, the attack can be executed gradually over time. A go-libp2p node on a virtual server with 4GB of memory can be brought down in approximately 90 seconds, with larger servers requiring proportionally more time (GitHub Advisory).

The vulnerability was patched in version 0.27.4. Users are strongly recommended to update to version 0.27.7 or later (v0.30.0 at the time of the advisory), as subsequent patches included important fixes for other issues. There are no known workarounds for this vulnerability (GitHub Advisory, Release Notes).