Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseGHSA-f3w5-v9xx-rp8p
GHSA-f3w5-v9xx-rp8p:
vulnerability analysis and mitigation
Overview
A signature verification vulnerability was discovered in Tendermint versions 0.34.0 to 0.34.8, identified as GHSA-f3w5-v9xx-rp8p. The vulnerability, known as 'forward lunatic attack' (FLA), affects Tendermint light clients and was disclosed on April 15, 2021. The issue was patched in version 0.34.9 and was classified as having moderate severity (GitHub Advisory).
Technical details
The vulnerability allows an attacking validator with ⅓+ voting power to sign commit messages for arbitrary application state associated with future block heights that haven't been seen yet. The attack works by having a malicious validator execute a lunatic attack while signing messages for a target block higher than the current block. This vulnerability specifically impacts the light client's ability to detect and form evidence of deception, even when secondary witnesses are correct (GitHub Advisory).
Impact
The vulnerability could potentially result in loss of funds since the light client is responsible for verifying cross-chain state for IBC. When exploited, the light client could accept a bad header from its primary witness without being able to form evidence of this deception. However, it's important to note that FLAs are only possible outside the Tendermint security model and require ⅓+ Byzantine validators. All attempted and successful FLAs leave traces of provable misbehavior on-chain (GitHub Advisory).
Mitigation and workarounds
The vulnerability has been patched in Tendermint Core v0.34.9. The patch handles all evidence automatically and on-chain, including successful automatic reporting of FLAs even after a chain halt. The fix includes adding time to FetchBlock, allowing light clients to determine if a halted chain should have continued. There are no workarounds available, and all users are recommended to upgrade to version 0.34.9 (GitHub Advisory).
Community reactions
The vulnerability was initially discovered by Maximilian Diez, with fixes created by cmwaters, josef-widder, and milosevic at both implementation and specification levels. The issue was addressed through the collaborative effort of the Tendermint security team (GitHub Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management