Vulnerability Details : CVE-2023-6245
The Candid library causes a Denial of Service while
parsing a specially crafted payload with 'empty' data type. For example,
if the payload is `record { * ; empty }` and the canister interface expects `record { * }` then the Rust candid decoder treats empty as an extra field required by the type. The problem with the type empty is that the candid Rust library wrongly categorizes empty as a recoverable error when skipping the field and thus causing an infinite decoding loop.
Canisters using affected versions of candid
are exposed to denial of service by causing the decoding to run
indefinitely until the canister traps due to reaching maximum
instruction limit per execution round. Repeated exposure to the payload
will result in degraded performance of the canister. Note: Canisters written in Motoko are unaffected.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2023-6245
- cpe:2.3:a:dfinity:candid:*:*:*:*:*:rust:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-6245
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-6245
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
DFINITY Foundation | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-6245
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: 6b35d637-e00f-4228-858c-b20ad6e1d07b (Secondary)
-
The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.Assigned by: 6b35d637-e00f-4228-858c-b20ad6e1d07b (Secondary)
-
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Assigned by:
- 6b35d637-e00f-4228-858c-b20ad6e1d07b (Secondary)
- nvd@nist.gov (Primary)
-
The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.Assigned by: 6b35d637-e00f-4228-858c-b20ad6e1d07b (Secondary)
References for CVE-2023-6245
-
https://internetcomputer.org/docs/current/references/ic-interface-spec
The Internet Computer Interface Specification | Internet ComputerProduct
-
https://internetcomputer.org/docs/current/references/candid-ref
Candid reference | Internet ComputerProduct
-
https://github.com/dfinity/candid/security/advisories/GHSA-7787-p7x6-fq3j
Infinite decoding loop through specially crafted payload · Advisory · dfinity/candid · GitHubPatch;Third Party Advisory
-
https://github.com/dfinity/candid/blob/master/spec/Candid.md
candid/spec/Candid.md at master · dfinity/candid · GitHubProduct
-
https://github.com/dfinity/candid/pull/478
fix error msg for empty type by chenyan-dfinity · Pull Request #478 · dfinity/candid · GitHubPatch
Jump to