Vulnerability Details : CVE-2020-26895
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver, or payment-sender). The impact is a loss of funds in certain situations.
Products affected by CVE-2020-26895
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.1.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.2:alpha:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.2.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.3:alpha:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.4:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.4.1:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.4.2:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.5:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.5:beta_rc1:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.5:beta_rc2:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.5.1:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.5.1:beta_rc1:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.5.1:beta_rc2:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.5.1:beta_rc3:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.5.1:beta_rc4:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.5.2:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.6:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.6:beta_rc1:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.6:beta_rc2:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.6:beta_rc3:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.6:beta_rc4:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.6.1:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.6.1:beta_rc1:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.6.1:beta_rc2:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.7.0:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.7.0:beta_rc1:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.7.0:beta_rc2:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.7.0:beta_rc3:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.7.1:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.7.1:beta_rc1:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.7.1:beta_rc2:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.8.0:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.8.0:beta_rc1:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.8.0:beta_rc2:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.8.0:beta_rc3:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.8.1:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.8.2:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.8.2:beta_rc1:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.8.2:beta_rc2:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.9.0:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.9.0:beta_rc1:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.9.0:beta_rc2:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.9.0:beta_rc3:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.9.0:beta_rc4:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.9.1:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.9.1:beta_rc1:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.9.2:beta:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.10.0:beta_rc1:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.10.0:beta_rc2:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.10.0:beta_rc3:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.10.0:beta_rc4:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.10.0:beta_rc5:*:*:*:*:*:*
- cpe:2.3:a:lightning_network_daemon_project:lightning_network_daemon:0.10.0:beta_rc6:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-26895
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 23 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26895
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2020-26895
-
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-26895
-
https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-October/002858.html
[Lightning-dev] CVE-2020-26895: LND Low-S Tx-Relay StandardnessMailing List;Third Party Advisory
-
https://gist.github.com/ariard/fb432a9d2cd3ba24fdc18ccc8c5c6eb4
public-report-high-s.txt ยท GitHubThird Party Advisory
-
https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-October/002856.html
[Lightning-dev] Full Disclosure: CVE-2020-26895 LND "Hodl my Shitsig"Mailing List;Third Party Advisory
Jump to