CVE-2024-11991
📋 TL;DR
CVE-2024-11991 is an uninitialized memory access vulnerability in Motoko's incremental garbage collector that could allow unauthorized read or write access to a Canister's memory. Only Motoko canisters that have explicitly enabled incremental garbage collection or enhanced orthogonal persistence (non-default features) are affected. This vulnerability requires specific configuration changes to be exploitable.
💻 Affected Systems
- Motoko compiler and runtime
📦 What is this software?
Motoko by Dfinity
⚠️ Risk & Real-World Impact
Worst Case
An attacker could read sensitive data from or write arbitrary data to a Canister's memory, potentially leading to data theft, privilege escalation, or canister compromise.
Likely Case
Limited impact due to the non-default nature of the vulnerable features; exploitation requires canister developers to have specifically enabled incremental GC or enhanced orthogonal persistence.
If Mitigated
Minimal impact if canisters use default configurations or if the patch is applied before enabling vulnerable features.
🎯 Exploit Status
Exploitation requires specific canister configuration and understanding of Motoko's memory management internals.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in the latest Motoko release (check specific version in advisory)
Vendor Advisory: https://github.com/dfinity/motoko/security/advisories/GHSA-9rhg-3qf8-hrv3
Restart Required: Yes
Instructions:
1. Update Motoko compiler to the latest version. 2. Recompile and redeploy affected canisters. 3. Restart any running canisters that use incremental GC or enhanced orthogonal persistence.
🔧 Temporary Workarounds
Disable vulnerable features
allDisable incremental garbage collector and enhanced orthogonal persistence in canister configurations
Modify canister configuration to use default garbage collection settings
🧯 If You Can't Patch
- Disable incremental garbage collector and enhanced orthogonal persistence in all canister configurations
- Implement strict access controls and monitoring for canisters that must use these features
🔍 How to Verify
Check if Vulnerable:
Check if any canisters have incremental garbage collector or enhanced orthogonal persistence enabled in their configurationCheck Version:
motoko --versionVerify Fix Applied:
Verify Motoko compiler version is updated and canisters have been recompiled with the fixed version📡 Detection & Monitoring
Log Indicators:
- Unexpected memory access patterns in canister logs
- Garbage collection anomalies
Network Indicators:
- Unusual canister memory access patterns
SIEM Query:
Canister logs containing memory access errors or garbage collection failures