{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/nimiq/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["nimiq-primitives"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","nimiq","bls"],"_cs_type":"advisory","_cs_vendors":["Nimiq"],"content_html":"\u003cp\u003eA critical vulnerability exists in Nimiq\u0026rsquo;s core-rs-albatross library, specifically within the nimiq-primitives crate, affecting versions 0.2.0 and earlier. An attacker can exploit this vulnerability by sending a malicious election macro block to a Nimiq node. This block contains an invalid compressed BLS voting key. When the node attempts to process this block, specifically during the hashing of the election macro header and the validation of the validators set via \u003ccode\u003eValidators::voting_keys()\u003c/code\u003e, the \u003ccode\u003evalidator.voting_key.uncompress().unwrap()\u003c/code\u003e function is triggered. Due to the invalid BLS key, this operation results in a panic, effectively crashing the Nimiq node and causing a denial-of-service condition. The vulnerability was patched in version 1.3.0 of the core-rs-albatross library.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Nimiq node running a version of \u003ccode\u003enimiq-primitives\u003c/code\u003e less than or equal to 0.2.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious election macro block.\u003c/li\u003e\n\u003cli\u003eThe malicious block contains an invalid compressed BLS voting key within the \u003ccode\u003evalidators\u003c/code\u003e set.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted block to the target Nimiq node via the peer-to-peer network.\u003c/li\u003e\n\u003cli\u003eThe Nimiq node receives the block and begins processing it.\u003c/li\u003e\n\u003cli\u003eDuring the hashing of the election macro header, the \u003ccode\u003evalidators\u003c/code\u003e set is processed.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eValidators::voting_keys()\u003c/code\u003e function is called, which attempts to uncompress the BLS voting key.\u003c/li\u003e\n\u003cli\u003eDue to the invalid compressed BLS key, the \u003ccode\u003evalidator.voting_key.uncompress().unwrap()\u003c/code\u003e function panics, causing the node to crash and leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition for the targeted Nimiq node. This can disrupt network operations, prevent legitimate transactions from being processed, and potentially impact the overall stability of the Nimiq network. The vulnerability allows any untrusted peer to trigger the crash.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to version 1.3.0 or later of the \u003ccode\u003ecore-rs-albatross\u003c/code\u003e library to patch CVE-2026-34065.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on incoming peer connections to mitigate the impact of malicious blocks being sent to the node.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-nimiq-panic/","summary":"An unauthenticated peer can crash a Nimiq node by sending a malformed election macro block containing an invalid BLS voting key, leading to a denial of service.","title":"Nimiq Node Panic due to Invalid BLS Key","url":"https://feed.craftedsignal.io/briefs/2024-01-nimiq-panic/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["nimiq-block"],"_cs_severities":["medium"],"_cs_tags":["blockchain","quorum bypass","nimiq","rust"],"_cs_type":"advisory","_cs_vendors":["Nimiq"],"content_html":"\u003cp\u003eA critical vulnerability has been identified in the Nimiq Block\u0026rsquo;s \u003ccode\u003eSkipBlockProof::verify\u003c/code\u003e function within the rust-albatross core. This vulnerability stems from the way the quorum check is performed. The vulnerability lies in the ability to craft \u003ccode\u003eMultiSignature.signers\u003c/code\u003e that contain out-of-range indices spaced by 65536, inflating the \u003ccode\u003elen()\u003c/code\u003e calculation but colliding onto the same in-range \u003ccode\u003eu16\u003c/code\u003e slot during aggregation due to truncation. The vulnerability affects \u003ccode\u003erust/nimiq-block\u003c/code\u003e versions \u003ccode\u003e\u0026lt;= 0.2.0\u003c/code\u003e. Successful exploitation allows a malicious validator with significantly fewer than the required \u003ccode\u003e2f+1\u003c/code\u003e signer slots to pass skip block proof verification. This bypasses the intended security mechanisms, potentially undermining the blockchain\u0026rsquo;s consensus and integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Nimiq Block instance running a vulnerable version (\u0026lt;= 0.2.0) of the \u003ccode\u003erust/nimiq-block\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eMultiSignature.signers\u003c/code\u003e payload.\u003c/li\u003e\n\u003cli\u003eThe malicious payload contains out-of-range indices spaced by 65536. These indices are specifically designed to inflate the \u003ccode\u003eBitSet.len()\u003c/code\u003e calculation used in the quorum check.\u003c/li\u003e\n\u003cli\u003eDuring verification within \u003ccode\u003eSkipBlockProof::verify\u003c/code\u003e, the \u003ccode\u003eusize\u003c/code\u003e indices are cast to \u003ccode\u003eu16\u003c/code\u003e (\u003ccode\u003eslot as u16\u003c/code\u003e) for slot lookup.\u003c/li\u003e\n\u003cli\u003eDue to the \u003ccode\u003eu16\u003c/code\u003e truncation, the out-of-range indices collide onto the same in-range slot. This creates an artificial aggregation of signatures.\u003c/li\u003e\n\u003cli\u003eThe attacker multiplies a single BLS signature by a factor to match the inflated \u003ccode\u003elen()\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe manipulated \u003ccode\u003eSkipBlockProof\u003c/code\u003e passes the quorum check due to the inflated \u003ccode\u003elen()\u003c/code\u003e and signature aggregation.\u003c/li\u003e\n\u003cli\u003eThe malicious skip block is accepted, potentially leading to consensus manipulation or other attacks on the blockchain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a malicious validator to bypass the standard quorum requirements for skip block proof verification. This means that a single compromised validator or a small group of colluding validators can inject fraudulent blocks into the blockchain, potentially leading to double-spending, denial-of-service, or other attacks that compromise the integrity and availability of the Nimiq blockchain. Given the severity of these potential outcomes, this vulnerability poses a critical risk to any system relying on affected versions of Nimiq Block.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003erust/nimiq-block\u003c/code\u003e version \u003ccode\u003e1.3.0\u003c/code\u003e or later, which includes the fix for \u003ca href=\"https://github.com/advisories/GHSA-6973-8887-87ff\"\u003eCVE-2026-33471\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for anomalies related to skip block submissions, focusing on unusually large \u003ccode\u003eMultiSignature.signers\u003c/code\u003e payloads with indices spaced by multiples of 65536. Create a network monitoring rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-nimiq-block-quorum-bypass/","summary":"A vulnerability exists in Nimiq Block's SkipBlockProof verification process, allowing attackers to bypass quorum checks by manipulating MultiSignature signers with out-of-range indices, potentially compromising blockchain integrity, and affecting rust/nimiq-block versions 0.2.0 and earlier.","title":"Nimiq Block Skip Block Quorum Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-nimiq-block-quorum-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Nimiq","version":"https://jsonfeed.org/version/1.1"}