TON Lite Server Denial-of-Service Vulnerability via Unmetered Continuation Injection
Vulnerability
A denial-of-service vulnerability exists in TON Lite Server versions prior to 2024.10. The issue stems from how external arguments are handled in locally executed 'get methods.' An attacker can inject a specially crafted Continuation object, which is typically restricted within the virtual machine (VM). When this malicious continuation is executed, it causes excessive CPU usage while incurring minimal virtual gas costs. This imbalance allows the attacker to monopolize the server's processing power, significantly degrading performance and availability for legitimate users.
Impact
Exploitation of this vulnerability leads to CPU exhaustion, allowing an attacker to disrupt the normal operation of the Lite Server by consuming its processing resources. This causes a noticeable decline in server responsiveness and throughput, effectively creating a denial-of-service condition for users accessing the server through the gateway.
Remediation
The vulnerability has been fixed in TON Lite Server version 2024.10. Users should update to this version to address the issue.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.