CVE-2022-28937 – This vulnerability in FISCO-BCOS blockchain nod... (How to Fix)

Q: What is the severity of CVE-2022-28937?

CVE-2022-28937 has a CVSS score of 7.5 (HIGH). This vulnerability in FISCO-BCOS blockchain nodes allows a malicious node to send invalid proposals with bad headers, causing normal nodes to stop processing new blocks and client requests. This affects all nodes running the vulnerable version, leading to denial of service in the blockchain network.

📋 TL;DR

This vulnerability in FISCO-BCOS blockchain nodes allows a malicious node to send invalid proposals with bad headers, causing normal nodes to stop processing new blocks and client requests. This affects all nodes running the vulnerable version, leading to denial of service in the blockchain network.

💻 Affected Systems

Products:

FISCO-BCOS

Versions: release-3.0.0-rc2

Operating Systems: All platforms running FISCO-BCOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all nodes in the blockchain network running the vulnerable version. The vulnerability is in the consensus mechanism.

📦 What is this software?

Fisco Bcos by Fisco Bcos

View all CVEs affecting Fisco Bcos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network disruption where all normal nodes stop processing transactions and producing blocks, effectively halting the blockchain.

🟠

Likely Case

Partial network disruption where affected nodes become unresponsive, causing transaction delays and potential consensus failures.

🟢

If Mitigated

Minimal impact if nodes are patched or isolated from malicious nodes.

🌐 Internet-Facing: MEDIUM - Requires a malicious node to join the network, but blockchain nodes often need to communicate with peers.

🏢 Internal Only: HIGH - In a private blockchain deployment, any compromised internal node could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to control a node in the network. The attack involves sending specially crafted invalid proposals.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after release-3.0.0-rc2

Vendor Advisory: https://github.com/FISCO-BCOS/FISCO-BCOS/issues/2312

Restart Required: Yes

Instructions:

1. Upgrade FISCO-BCOS to a version after release-3.0.0-rc2. 2. Restart all nodes. 3. Verify nodes are processing blocks normally.

🔧 Temporary Workarounds

Node Isolation

all

Temporarily isolate or block malicious nodes from the network to prevent exploitation.

# Configure firewall rules to block suspicious nodes
# Use network segmentation to isolate untrusted nodes

🧯 If You Can't Patch

Implement strict node admission controls to prevent untrusted nodes from joining the network.
Monitor network traffic for abnormal proposal patterns and block suspicious nodes immediately.

🔍 How to Verify

Check if Vulnerable:

Check if running FISCO-BCOS release-3.0.0-rc2 version. Monitor if nodes stop producing blocks after receiving proposals.

Check Version:

./fisco-bcos --version

Verify Fix Applied:

Verify upgraded to version after release-3.0.0-rc2. Test by sending normal proposals and confirming blocks are produced.

📡 Detection & Monitoring

Log Indicators:

Nodes stopping block production
Error messages about invalid proposals or headers
Consensus failures in logs

Network Indicators:

Sudden drop in block production rate
Increased network traffic with malformed proposals

SIEM Query:

source="fisco-bcos.log" AND ("invalid proposal" OR "stop producing blocks" OR "consensus error")

📊 Metadata

CVE ID: CVE-2022-28937

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-190

Published: May 15, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/FISCO-BCOS/FISCO-BCOS/issues/2312 Exploit,Third Party Advisory
https://github.com/FISCO-BCOS/FISCO-BCOS/issues/2312 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28937, you might also want to check these: