Nimiq Primitives Election Macro Block Voting Key Validation Vulnerability Causes Node Panic
Vulnerability
A vulnerability in the Nimiq Primitives library, specifically in versions through 1.2.2, allows an untrusted peer to cause a node to panic. This occurs when the peer announces an election macro block containing an invalid compressed BLS voting key. The issue arises during the hashing of the election macro header, where the 'validators' are processed. This leads to a call that attempts to uncompress the voting key, resulting in a panic due to the invalid data. The vulnerability has been patched in version 1.3.0.
Impact
Exploitation of this vulnerability causes a node to panic, disrupting its operation.
Reproduction
To reproduce this vulnerability, an untrusted peer can announce an election macro block that includes an invalid compressed BLS voting key. The node will panic when it processes the block, specifically during the hashing of the election macro header, where the invalid key causes a failure in the uncompression process.
Remediation
Users can upgrade to Nimiq Primitives version 1.3.0 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.