Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2023-45130

Disclosure Date: October 13, 2023 •

CVE-2023-45130 CVSS v3 Base Score: 7.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Frontier is Substrate’s Ethereum compatibility layer. Prior to commit aea528198b3b226e0d20cce878551fd4c0e3d5d0, at the end of a contract execution, when opcode SUICIDE marks a contract to be deleted, the software uses storage::remove_prefix (now renamed to storage::clear_prefix) to remove all storages associated with it. This is a single IO primitive call passing the WebAssembly boundary. For large contracts, the call (without providing a limit parameter) can be slow. In addition, for parachains, all storages to be deleted will be part of the PoV, which easily exceed relay chain PoV size limit. On the other hand, Frontier’s maintainers only charge a fixed cost for opcode SUICIDE. The maintainers consider the severity of this issue high, because an attacker can craft a contract with a lot of storage values on a parachain, and then call opcode SUICIDE on the contract. If the transaction makes into a parachain block, the parachain will then stall because the PoV size will exceed relay chain’s limit. This is especially an issue for XCM transactions, because they can’t be skipped. Commit aea528198b3b226e0d20cce878551fd4c0e3d5d0 contains a patch for this issue. For parachains, it’s recommended to issue an emergency runtime upgrade as soon as possible. For standalone chains, the impact is less severe because the issue mainly affects PoV sizes. It’s recommended to issue a normal runtime upgrade as soon as possible. There are no known workarounds.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

None

Availability (A):

High

Vendors

parity

Products

frontier

References

Canonical

CVE-2023-45130 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45130)

Miscellaneous

https://github.com/paritytech/frontier/security/advisories/GHSA-gc88-2gvv-gp3v

https://github.com/paritytech/frontier/pull/1212

https://github.com/paritytech/frontier/commit/aea528198b3b226e0d20cce878551fd4c0e3d5d0

Rapid7

Unknown

CVE-2023-45130

Unknown

Unknown

None

None

Network

CVE-2023-45130

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2023-45130

Unknown

Unknown

None

None

Network

CVE-2023-45130

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification