CVE-2023-36184
📋 TL;DR
CVE-2023-36184 is a stack overflow vulnerability in Mysten Labs Sui blockchain v1.2.0 that can be triggered via the /spec/openrpc.json endpoint. This allows remote attackers to potentially crash nodes or execute arbitrary code. All Sui blockchain nodes running the vulnerable version are affected.
💻 Affected Systems
- Mysten Labs Sui blockchain
📦 What is this software?
Aptos by Aptosfoundation
Move by Move Project
Sui by Mystenlabs
⚠️ Risk & Real-World Impact
Worst Case
Complete network shutdown, potential hard fork required, remote code execution leading to total compromise of blockchain nodes.
Likely Case
Denial of service causing node crashes and network instability, potentially disrupting blockchain operations.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting exposure to the vulnerable endpoint.
🎯 Exploit Status
The vulnerability involves a stack overflow which is relatively straightforward to trigger once the attack vector is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 8b681515c0cf435df2a54198a28ab4ef574d202b
Vendor Advisory: https://github.com/MystenLabs/sui/commit/8b681515c0cf435df2a54198a28ab4ef574d202b
Restart Required: Yes
Instructions:
1. Update to the latest Sui version containing the fix. 2. Stop the Sui node service. 3. Replace the binary with the patched version. 4. Restart the Sui node service. 5. Verify the node is running the updated version.
🔧 Temporary Workarounds
Block OpenRPC endpoint access
linuxRestrict network access to the /spec/openrpc.json endpoint using firewall rules or web application firewall.
iptables -A INPUT -p tcp --dport [SUI_PORT] -m string --string "/spec/openrpc.json" --algo bm -j DROP
Disable OpenRPC endpoint
allConfigure Sui to disable the OpenRPC specification endpoint if not required.
Modify Sui configuration to disable OpenRPC endpoint (check Sui documentation for specific configuration)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Sui nodes from untrusted networks
- Deploy web application firewall rules to block malicious requests to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check if running Sui v1.2.0 and if the /spec/openrpc.json endpoint is accessible via HTTP request.Check Version:
sui --versionVerify Fix Applied:
Verify the Sui version is updated beyond commit 8b681515c0cf435df2a54198a28ab4ef574d202b and test the endpoint with crafted requests.📡 Detection & Monitoring
Log Indicators:
- Multiple stack overflow errors in logs
- Abnormal termination of Sui node process
- High volume of requests to /spec/openrpc.json
Network Indicators:
- Unusual traffic patterns to Sui node port 9000
- Large payloads sent to /spec/openrpc.json endpoint
SIEM Query:
source="sui.logs" AND ("stack overflow" OR "segmentation fault" OR "panic")🔗 References
- https://github.com/MystenLabs/sui/commit/8b681515c0cf435df2a54198a28ab4ef574d202b
- https://github.com/aptos-labs/aptos-core/commit/47a0391c612407fe0b1051ef658a29e35d986963
- https://github.com/move-language/move/issues/1059
- https://medium.com/%40Beosin_com/critical-vulnerability-in-move-vm-can-cause-total-network-shutdown-and-potential-hard-fork-in-sui-49d0d942801c
- https://github.com/MystenLabs/sui/commit/8b681515c0cf435df2a54198a28ab4ef574d202b
- https://github.com/aptos-labs/aptos-core/commit/47a0391c612407fe0b1051ef658a29e35d986963
- https://github.com/move-language/move/issues/1059
- https://medium.com/%40Beosin_com/critical-vulnerability-in-move-vm-can-cause-total-network-shutdown-and-potential-hard-fork-in-sui-49d0d942801c
