QwikSec

Security Database

CVE

CWE

Training

CVE-2024-38359

Published: Jun 20, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

The Lightning Network Daemon (lnd) - is a complete implementation of a Lightning Network node. A parsing vulnerability in lnd's onion processing logic and lead to a DoS vector due to excessive memory allocation. The issue was patched in lnd v0.17.0. Users should update to a version > v0.17.0 to be protected. Users unable to upgrade may set the `--rejecthtlc` CLI flag and also disable forwarding on channels via the `UpdateChanPolicyCommand`, or disable listening on a public network interface via the `--nolisten` flag as a mitigation.

Vendor	Product	Versions
lightningnetwork	lnd	affected `< 0.17.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/lightningnetwork/lnd/security/advisories/GHSA-9gxx-58q6-42p7

x_refsource_CONFIRM

https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979

x_refsource_MISC

https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta

x_refsource_MISC

https://lightning.network

x_refsource_MISC

https://morehouse.github.io/lightning/lnd-onion-bomb

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.