logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-6245 candid

Package

Manager: cargo
Name: candid
Vulnerable Version: >=0.9.0 <0.9.10

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00131 pctl0.33359

Details

Candid infinite decoding loop through specially crafted payload ### Impact The Candid library causes a Denial of Service while parsing a specially crafted payload with `empty` data type. For example, if the payload is `record { * ; empty }` and the canister interface expects `record { * }` then the rust candid decoder treats `empty` as an extra field required by the type. The problem with type `empty` is that the candid rust library wrongly categorizes `empty` as a recoverable error when skipping the field and thus causing an infinite decoding loop. Canisters using affected versions of candid are exposed to denial of service by causing the decoding to run indefinitely until the canister traps due to reaching maximum instruction limit per execution round. Repeated exposure to the payload will result in degraded performance of the canister. For asset canister users, `dfx` versions `>= 0.14.4` to `<= 0.15.2-beta.0` ships asset canister with an affected version of candid. #### Unaffected - Rust canisters using candid `< 0.9.0` or `>= 0.9.10` - Rust canister interfaces of type other than `record { * }` - Motoko based canisters - dfx (for asset canister) `<= 0.14.3` or `>= 0.15.2` ### Patches The issue has been patched in `0.9.10`. All rust based canisters on candid versions `>= 0.9.0` must upgrade their candid versions to `>= 0.9.10` and deploy their canisters to mainnet as soon as possible. ### Workarounds There is no workaround for canisters using the affected versions of candid other than upgrading to patched version. ### References - [dfinity/candid/pull/478](https://github.com/dfinity/candid/pull/478) - [Candid Library Reference](https://internetcomputer.org/docs/current/references/candid-ref) - [Candid Specification](https://github.com/dfinity/candid/blob/master/spec/Candid.md) - [Internet Computer Specification](https://internetcomputer.org/docs/current/references/ic-interface-spec)

Metadata

Created: 2023-12-08T15:23:22Z
Modified: 2023-12-08T19:52:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-7787-p7x6-fq3j/GHSA-7787-p7x6-fq3j.json
CWE IDs: ["CWE-1288", "CWE-400", "CWE-835"]
Alternative ID: GHSA-7787-p7x6-fq3j
Finding: F002
Auto approve: 1