CVE-2023-34458 – A vulnerability in mx-chain-go's transaction pr... (How to Fix)

Q: What is the severity of CVE-2023-34458?

CVE-2023-34458 has a CVSS score of 7.1 (HIGH). A vulnerability in mx-chain-go's transaction processing incorrectly increments the sender's nonce when a relayed inner transaction fails, allowing an attacker to cause a limited denial-of-service against targeted accounts by exhausting their nonce sequence. This affects all MultiversX blockchain nodes running vulnerable versions. The issue was a strict processing error during block validation.

📋 TL;DR

A vulnerability in mx-chain-go's transaction processing incorrectly increments the sender's nonce when a relayed inner transaction fails, allowing an attacker to cause a limited denial-of-service against targeted accounts by exhausting their nonce sequence. This affects all MultiversX blockchain nodes running vulnerable versions. The issue was a strict processing error during block validation.

💻 Affected Systems

Products:

mx-chain-go

Versions: All versions before 1.4.17

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all MultiversX blockchain nodes processing relayed transactions. The vulnerability is in the core transaction validation logic.

📦 What is this software?

Mx Chain Go by Multiversx

View all CVEs affecting Mx Chain Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Targeted account becomes unusable due to nonce exhaustion, requiring manual intervention to reset or recover the account, disrupting blockchain operations.

🟠

Likely Case

Limited DoS against specific accounts, causing transaction failures and requiring account nonce resynchronization.

🟢

If Mitigated

Minimal impact with proper monitoring and rapid patching; transaction failures would be logged but not cause persistent account issues.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires ability to submit relayed transactions to the network. No public exploit code has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.17

Vendor Advisory: https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp

Restart Required: Yes

Instructions:

1. Stop the mx-chain-go service. 2. Backup configuration and data. 3. Update to version 1.4.17 or later. 4. Restart the service. 5. Verify the new version is running.

🔧 Temporary Workarounds

Disable relayed transactions

all

Temporarily disable processing of relayed transactions if not required for your node's operation

Modify node configuration to reject relayed transactions

🧯 If You Can't Patch

Monitor transaction logs for failed relayed transactions and unusual nonce increments
Implement rate limiting on transaction submission to reduce attack surface

🔍 How to Verify

Check if Vulnerable:

Check if mx-chain-go version is below 1.4.17

Check Version:

./node --version or check service status output

Verify Fix Applied:

Verify version is 1.4.17 or higher and check that relayed transaction processing behaves correctly

📡 Detection & Monitoring

Log Indicators:

Multiple failed relayed transactions from same sender
Unexpected nonce increments for accounts
Transaction validation errors in block processing

Network Indicators:

Unusual patterns of relayed transaction submissions
Spike in transaction failures for specific accounts

SIEM Query:

source="mx-chain-go" AND ("relayed transaction failed" OR "nonce increment" OR "validation error")

📊 Metadata

CVE ID: CVE-2023-34458

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H

CWE: CWE-400

Published: July 13, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34458, you might also want to check these: