ghsa-3j4h-h3fp-vwww
Vulnerability from github
Published
2024-06-17 21:24
Modified
2024-06-17 21:24
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
LNbits improperly handles potential network and payment failures when using Eclair backend
Details

Summary

Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight.

Details

Using blocking: true on the API call will lead to a timeout error if a payment does not get settled in the 30s timeout with the error: Ask timed out on [Actor[akka://eclair-node/user/$l#134241942]] after [30000 ms]. Message of type [fr.acinq.eclair.payment.send.PaymentInitiator$SendPaymentToNode]. A typical reason for AskTimeoutException is that the recipient actor didn't send a reply. https://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L138

This is considered a payment failure by parts of the code, and assumes the payment is not going to be settled after: https://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L144 https://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L141 https://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L146

The best way to fix this is to check the payment status after an error, and when not sure, always consider a payment still in flight.

PoC

A very simple way to exploit this is: - Create a hold invoice - Pay the invoice with the LNbits server backed by an Eclair node, until it times out - Settle the hold invoice

Impact

This vulnerability can lead to a total loss of funds for the node backend.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lnbits"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-17T21:24:18Z",
    "nvd_published_at": "2024-06-14T15:15:50Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nPaying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight.\n\n### Details\n\nUsing `blocking: true` on the API call will lead to a timeout error if a payment does not get settled in the 30s timeout with the error: `Ask timed out on [Actor[akka://eclair-node/user/$l#134241942]] after [30000 ms]. Message of type [fr.acinq.eclair.payment.send.PaymentInitiator$SendPaymentToNode]. A typical reason for AskTimeoutException is that the recipient actor didn\u0027t send a reply.`\nhttps://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L138\n\nThis is considered a payment failure by parts of the code, and assumes the payment is not going to be settled after:\nhttps://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L144\nhttps://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L141\nhttps://github.com/lnbits/lnbits/blob/c04c13b2f8cfbb625571a07dfddeb65ea6df8dac/lnbits/wallets/eclair.py#L146\n\nThe best way to fix this is to check the payment status after an error, and when not sure, always consider a payment still in flight.\n\n### PoC\n\nA very simple way to exploit this is:\n- Create a hold invoice\n- Pay the invoice with the LNbits server backed by an Eclair node, until it times out\n- Settle the hold invoice\n\n### Impact\n\nThis vulnerability can lead to a total loss of funds for the node backend.\n",
  "id": "GHSA-3j4h-h3fp-vwww",
  "modified": "2024-06-17T21:24:18Z",
  "published": "2024-06-17T21:24:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lnbits/lnbits/security/advisories/GHSA-3j4h-h3fp-vwww"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34694"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lnbits/lnbits"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LNbits improperly handles potential network and payment failures when using Eclair backend"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.