Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2020-26896

Improper Validation of Integrity Check Value

Published: Oct 21, 2020 | Modified: Nov 05, 2020
CVSS 3.x
8.2
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
CVSS 2.x
5.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2020-26896
CWEhttps://cwe.mitre.org/data/definitions/354.html

Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didnt verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collision with an invoice, the preimage for an expected payment was instead released. A malicious peer could have deliberately intercepted an HTLC intended for the victim node, probed the preimage through a colluding relayed HTLC, and stolen the intercepted HTLC. The impact is a loss of funds in certain situations, and a weakening of the victims receiver privacy.

Weakness

The product does not validate or incorrectly validates the integrity check values or “checksums” of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

Affected Software

Name Vendor Start Version End Version
Lightning_network_daemon Lightning_network_daemon_project * 0.11.0 (excluding)
Lightning_network_daemon Lightning_network_daemon_project 0.11.0 (including) 0.11.0 (including)
Lightning_network_daemon Lightning_network_daemon_project 0.11.0-beta_rc1 (including) 0.11.0-beta_rc1 (including)
Lightning_network_daemon Lightning_network_daemon_project 0.11.0-beta_rc2 (including) 0.11.0-beta_rc2 (including)
Lightning_network_daemon Lightning_network_daemon_project 0.11.0-beta_rc3 (including) 0.11.0-beta_rc3 (including)
Lightning_network_daemon Lightning_network_daemon_project 0.11.0-beta_rc4 (including) 0.11.0-beta_rc4 (including)

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use