CVE-2024-21669
📋 TL;DR
This vulnerability in Hyperledger Aries Cloud Agent Python (ACA-Py) allows attackers to present forged verifiable credentials and enables malicious verifiers to replay presentations as their own. It affects all deployments using W3C Format Verifiable Credentials with JSON-LD and Linked Data Proofs. The flaw has been present since version 0.7.0.
💻 Affected Systems
- Hyperledger Aries Cloud Agent Python (ACA-Py)
📦 What is this software?
Aries Cloud Agent by Hyperledger
Aries Cloud Agent by Hyperledger
Aries Cloud Agent by Hyperledger
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of decentralized identity systems allowing impersonation, credential forgery, and unauthorized access to services relying on verifiable credentials.
Likely Case
Malicious actors could present invalid credentials as valid, leading to unauthorized access or fraudulent transactions in identity systems.
If Mitigated
With proper monitoring and limited credential scope, impact could be reduced to isolated credential validation failures.
🎯 Exploit Status
Exploitation requires understanding of W3C verifiable credentials and JSON-LD proofs. Attackers need to be holders or verifiers in the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.10.5 or 0.11.0
Vendor Advisory: https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Update ACA-Py using pip: 'pip install --upgrade aries-cloudagent==0.10.5' or 'pip install --upgrade aries-cloudagent==0.11.0'. 3. Restart all ACA-Py services. 4. Verify the fix by testing credential verification.
🔧 Temporary Workarounds
Disable LDP-VC verification
allTemporarily disable verification of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs
Modify ACA-Py configuration to disable LDP-VC verification features
🧯 If You Can't Patch
- Implement additional validation layers for all credential presentations
- Monitor and audit all credential verification attempts for anomalies
🔍 How to Verify
Check if Vulnerable:
Check if running ACA-Py version 0.7.0 through 0.10.4 and using LDP-VC featuresCheck Version:
python -c "import aries_cloudagent; print(aries_cloudagent.__version__)"Verify Fix Applied:
Test credential verification with malformed proofs to ensure they are properly rejected📡 Detection & Monitoring
Log Indicators:
- Multiple failed credential validations
- Unusual credential presentation patterns
- Proof verification errors
Network Indicators:
- Repeated credential presentation attempts
- Unusual timing in credential exchange protocols
SIEM Query:
source="aca-py" AND ("proof verification" OR "credential validation") AND status="success" WHERE proof_errors>0🔗 References
- https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293
- https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2
- https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5
- https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0
- https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm
- https://github.com/hyperledger/aries-cloudagent-python/commit/0b01ffffc0789205ac990292f97238614c9fd293
- https://github.com/hyperledger/aries-cloudagent-python/commit/4c45244e2085aeff2f038dd771710e92d7682ff2
- https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.10.5
- https://github.com/hyperledger/aries-cloudagent-python/releases/tag/0.11.0
- https://github.com/hyperledger/aries-cloudagent-python/security/advisories/GHSA-97x9-59rv-q5pm
