CVE-2023-33964 – A vulnerability in mx-chain-go (MultiversX bloc... (How to Fix)

Q: What is the severity of CVE-2023-33964?

CVE-2023-33964 has a CVSS score of 8.6 (HIGH). A vulnerability in mx-chain-go (MultiversX blockchain implementation) allows invalid cross-shard transactions with incorrect usernames to cause the metachain to stop notarizing blocks from shard chains. This affects MultiversX blockchain operators running vulnerable versions, potentially halting blockchain operations until patched.

📋 TL;DR

A vulnerability in mx-chain-go (MultiversX blockchain implementation) allows invalid cross-shard transactions with incorrect usernames to cause the metachain to stop notarizing blocks from shard chains. This affects MultiversX blockchain operators running vulnerable versions, potentially halting blockchain operations until patched.

💻 Affected Systems

Products:

mx-chain-go

Versions: All versions prior to 1.4.16

Operating Systems: All platforms running mx-chain-go

Default Config Vulnerable: ⚠️ Yes

Notes: Affects metachain nodes specifically when processing cross-shard transactions with invalid usernames.

📦 What is this software?

Mx Chain Go by Multiversx

View all CVEs affecting Mx Chain Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Metachain completely stops notarizing blocks from shard chains, halting blockchain operations and requiring manual intervention with patched binaries to resume functionality.

🟠

Likely Case

Processing error causes metachain to stop notarizing blocks, disrupting blockchain operations until administrators apply the patch and restart affected nodes.

🟢

If Mitigated

With proper monitoring and rapid patch deployment, minimal disruption occurs as administrators can quickly restore normal operations.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires submitting invalid cross-shard transactions, which could be done by any network participant. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.16

Vendor Advisory: https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-7xpv-4pm9-xch2

Restart Required: Yes

Instructions:

1. Stop all mx-chain-go nodes. 2. Update to version 1.4.16 or later. 3. Restart nodes with patched binaries. 4. Monitor for normal notarization resumption.

🔧 Temporary Workarounds

No workarounds available

all

The vendor advisory states there are no known workarounds for this issue.

🧯 If You Can't Patch

Implement strict transaction validation at network entry points to filter potentially malicious cross-shard transactions
Increase monitoring for metachain notarization failures and prepare incident response procedures

🔍 How to Verify

Check if Vulnerable:

Check mx-chain-go version: if version < 1.4.16, system is vulnerable. Also monitor for metachain notarization failures.

Check Version:

./node --version or check binary/package version

Verify Fix Applied:

Confirm version is 1.4.16 or later and verify metachain is properly notarizing blocks from shard chains.

📡 Detection & Monitoring

Log Indicators:

Metachain transaction processing errors
Cross-shard transaction validation failures
Notarization process interruptions

Network Indicators:

Unusual cross-shard transaction patterns
Metachain block notarization gaps

SIEM Query:

Search for 'metachain notarization stopped' or 'cross-shard transaction error' in blockchain node logs

📊 Metadata

CVE ID: CVE-2023-33964

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE: CWE-20

Published: May 31, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33964, you might also want to check these: