CVE-2023-36199
📋 TL;DR
This vulnerability in skalenetwork sgxwallet allows attackers to cause denial of service through the trustedGenerateEcdsaKey component. It affects all users running sgxwallet version 1.9.0 and earlier. The attack disrupts key generation functionality, potentially preventing legitimate operations.
💻 Affected Systems
- skalenetwork sgxwallet
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption preventing all key generation operations, potentially affecting blockchain transaction processing and wallet functionality.
Likely Case
Intermittent service degradation where key generation requests fail, causing transaction delays and user frustration.
If Mitigated
Minimal impact with proper monitoring and rapid response to service interruptions.
🎯 Exploit Status
Exploitation requires access to the trustedGenerateEcdsaKey API endpoint. The GitHub issue suggests the vulnerability is related to improper input validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after v1.9.0 (check latest release)
Vendor Advisory: https://github.com/skalenetwork/sgxwallet/issues/419
Restart Required: Yes
Instructions:
1. Check current sgxwallet version. 2. Update to the latest version from the official repository. 3. Restart the sgxwallet service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict API Access
linuxLimit access to the trustedGenerateEcdsaKey endpoint to trusted sources only
# Configure firewall rules to restrict access to sgxwallet API port
# Example: iptables -A INPUT -p tcp --dport [API_PORT] -s [TRUSTED_IP] -j ACCEPT
# iptables -A INPUT -p tcp --dport [API_PORT] -j DROP
Implement Rate Limiting
linuxAdd rate limiting to the trustedGenerateEcdsaKey endpoint to prevent DoS attacks
# Use nginx or similar proxy with rate limiting
# Example nginx config: limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req zone=api burst=20 nodelay;
🧯 If You Can't Patch
- Implement strict network segmentation to isolate sgxwallet from untrusted networks
- Deploy additional monitoring and alerting for failed key generation attempts
🔍 How to Verify
Check if Vulnerable:
Check sgxwallet version. If version is 1.9.0 or earlier, the system is vulnerable.Check Version:
sgxwallet --version or check the version in the application configuration/logsVerify Fix Applied:
Verify sgxwallet version is greater than 1.9.0 and test key generation functionality.📡 Detection & Monitoring
Log Indicators:
- Multiple failed key generation requests
- Service restart events
- Error messages related to trustedGenerateEcdsaKey
Network Indicators:
- Unusual traffic patterns to the sgxwallet API port
- High volume of requests to the key generation endpoint
SIEM Query:
source="sgxwallet.log" AND ("trustedGenerateEcdsaKey" AND "error" OR "failed")