{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mppx/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mppx"],"_cs_severities":["critical"],"_cs_tags":["npm","vulnerability","payment bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003emppx\u003c/code\u003e npm package, a payment processing library, contains several critical vulnerabilities that could be exploited to bypass payment requirements, manipulate transaction fees, and disrupt payment channels. These vulnerabilities affect versions prior to 0.4.8, and arise from insufficient validation of transaction hashes, missing transfer log verification, cross-route scope confusion, and weaknesses in channel ID binding. Successful exploitation could allow attackers to perform free transactions, force others to pay their fees, or render payment channels unusable, leading to significant financial losses and reputational damage for applications relying on the vulnerable library.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker identifies a vulnerable application using a version of the \u003ccode\u003emppx\u003c/code\u003e npm package prior to 0.4.8.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTransaction Replay:\u003c/strong\u003e The attacker replays \u003ccode\u003etempo/charge\u003c/code\u003e transaction hashes across push/pull modes or charge/session endpoints to duplicate payments or bypass charges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFree Requests (Pull Mode):\u003c/strong\u003e The attacker performs free \u003ccode\u003etempo/charge\u003c/code\u003e requests by exploiting missing transfer log verification in pull mode.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFee Manipulation:\u003c/strong\u003e The attacker manipulates the fee payer of a \u003ccode\u003etempo/charge\u003c/code\u003e handler into paying for their requests by exploiting the missing sender signature check.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVoucher Bypass:\u003c/strong\u003e The attacker bypasses \u003ccode\u003etempo/session\u003c/code\u003e voucher signature verification to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eChannel Hijacking:\u003c/strong\u003e The attacker piggybacks off existing \u003ccode\u003etempo/session\u003c/code\u003e channels by reusing settle vouchers and exploiting weak channel ID binding.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGriefing:\u003c/strong\u003e The attacker griefs \u003ccode\u003etempo/session\u003c/code\u003e channels via force-close detection bypass by exploiting the fact that \u003ccode\u003ecloseRequestedAt\u003c/code\u003e is not persisted.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker successfully bypasses payment, manipulates fees, or disrupts payment channels, resulting in financial loss and service disruption for the targeted application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to significant financial losses for applications using the vulnerable versions of the \u003ccode\u003emppx\u003c/code\u003e package. Attackers can perform free transactions at the expense of legitimate users or the service provider. Moreover, attackers can grief payment channels, rendering them unusable and disrupting services that rely on them. The number of affected applications is unknown, but any application utilizing \u003ccode\u003emppx\u003c/code\u003e prior to version 0.4.8 is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003emppx\u003c/code\u003e npm package to version 0.4.8 or later to patch the vulnerabilities (reference: Patches section).\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and integrity checks for all transaction-related data, especially when using \u003ccode\u003etempo/charge\u003c/code\u003e and \u003ccode\u003etempo/session\u003c/code\u003e (reference: Overview).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns indicative of transaction replay attacks or attempts to bypass payment mechanisms.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts related to free requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-02-29T10:00:00Z","date_published":"2024-02-29T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-02-mppx-vulns/","summary":"Multiple vulnerabilities in the `mppx` npm package (versions prior to 0.4.8) allow for payment bypass, transaction replay attacks, fee manipulation, signature bypass, and channel griefing, potentially leading to financial loss and service disruption.","title":"MPPX Payment Bypass and Griefing Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2024-02-mppx-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed - Mppx","version":"https://jsonfeed.org/version/1.1"}