CVE-2019-16281 – CVE-2019-16281 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2019-16281?

CVE-2019-16281 has a CVSS score of 7.5 (HIGH). CVE-2019-16281 is an authentication bypass vulnerability in Ptarmigan Lightning Network node software versions before 0.2.3. The vulnerability allows attackers to bypass API token validation and execute unauthorized commands. This affects all users running vulnerable versions of Ptarmigan.

📋 TL;DR

CVE-2019-16281 is an authentication bypass vulnerability in Ptarmigan Lightning Network node software versions before 0.2.3. The vulnerability allows attackers to bypass API token validation and execute unauthorized commands. This affects all users running vulnerable versions of Ptarmigan.

💻 Affected Systems

Products:

Ptarmigan Lightning Network Node

Versions: All versions before 0.2.3

Operating Systems: Linux, macOS, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The vulnerability exists in the API authentication mechanism.

📦 What is this software?

Ptarmigan by Ptarmigan Project

View all CVEs affecting Ptarmigan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Lightning Network node, allowing unauthorized fund transfers, channel manipulation, and node takeover.

🟠

Likely Case

Unauthorized API access leading to information disclosure, configuration changes, or limited financial impact.

🟢

If Mitigated

No impact if proper API token validation is implemented and tokens are kept secure.

🌐 Internet-Facing: HIGH - If the API is exposed to the internet, attackers can directly exploit this without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit is trivial - simply send API requests without valid tokens. The fix commit shows the missing validation code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.3 and later

Vendor Advisory: https://github.com/nayutaco/ptarmigan/releases/tag/v0.2.3

Restart Required: Yes

Instructions:

1. Stop the Ptarmigan service. 2. Update to version 0.2.3 or later using your package manager or from GitHub releases. 3. Restart the Ptarmigan service. 4. Verify the version is 0.2.3 or higher.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict API access to trusted networks only using firewall rules

iptables -A INPUT -p tcp --dport [API_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [API_PORT] -j DROP

API Disablement

all

Disable the vulnerable API if not required for operation

Edit configuration to disable API or set API port to 0

🧯 If You Can't Patch

Implement network-level authentication (VPN, IP whitelisting) for API access
Use reverse proxy with additional authentication layer in front of Ptarmigan API

🔍 How to Verify

Check if Vulnerable:

Check if Ptarmigan version is below 0.2.3. Attempt API call without authentication token - if it succeeds, system is vulnerable.

Check Version:

ptarmigan --version or check the version in configuration/logs

Verify Fix Applied:

After patching, attempt API call without authentication token - it should fail with authentication error.

📡 Detection & Monitoring

Log Indicators:

Successful API calls without authentication tokens
API authentication failures followed by successful requests

Network Indicators:

API requests without authentication headers
Unusual API traffic patterns from unexpected sources

SIEM Query:

source="ptarmigan.log" AND ("API call" OR "authentication") AND NOT "token"

📊 Metadata

CVE ID: CVE-2019-16281

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-295

Published: December 30, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/nayutaco/ptarmigan/commit/37fd8f9da3bab9d323ddd77f2fd20b6dde8bcf6c Patch,Third Party Advisory
https://github.com/nayutaco/ptarmigan/compare/v0.2.2...v0.2.3 Patch,Third Party Advisory
https://github.com/nayutaco/ptarmigan/releases/tag/v0.2.3 Release Notes,Third Party Advisory
https://github.com/nayutaco/ptarmigan/commit/37fd8f9da3bab9d323ddd77f2fd20b6dde8bcf6c Patch,Third Party Advisory
https://github.com/nayutaco/ptarmigan/compare/v0.2.2...v0.2.3 Patch,Third Party Advisory
https://github.com/nayutaco/ptarmigan/releases/tag/v0.2.3 Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-16281, you might also want to check these: