Nimiq Network-libp2p Duplicate Discovery Substream Handling Vulnerability Causes Denial-of-Service

A denial-of-service vulnerability has been identified in Nimiq's network-libp2p library, specifically in versions through 1.2.2. The issue arises in the discovery phase, where the libp2p ConnectionHandler state machine incorrectly manages multiple discovery substreams on the same connection. When a remote peer opens a second substream, the handler panics instead of closing the connection gracefully. This panic disrupts the networking task, causing the node's peer-to-peer networking to go offline until it is restarted.

Impact

Exploitation of this vulnerability leads to a remote crash of the networking task, causing the node's peer-to-peer networking to go offline until it is restarted.

Reproduction

The vulnerability can be reproduced by establishing a connection with a peer that opens multiple discovery substreams on the same connection. This can be done by using a custom libp2p client that initiates the discovery protocol substream twice on the same connection, which will trigger the panic in the ConnectionHandler state machine.

Remediation

Users can upgrade to Nimiq network-libp2p version 1.3.0 or later, where this vulnerability has been patched.