Critical vulnerability. External dependencies of moduleHandler blocks module updates.

CORIONplatform / solidity

GNU General Public License v3.0

12 stars 9 forks source link

Critical vulnerability. External dependencies of moduleHandler blocks module updates. #48

Closed Dexaran closed 7 years ago

Dexaran commented 7 years ago

This function execution requirement will fail if the replaceable module does not support the replaceModule(address) function, or if the replaceable module returns false.

If the corrupted module will not return true after the execution of replaceModule you will be unable to replace this corrupted module. This can lead to the crash of the entire platform.

iFA88 commented 7 years ago

This would not happens when you connect a tested module to the module handler. Like the same situation while you plug a burned RAM module to your motherboard and wondering why not booting. :)

Dexaran commented 7 years ago

It is a potential vector of attack. You can replace any module with a corrupted module, and you will not be able to restore the platform because you can not replace the corrupted module. It will ruin the whole platform.

Yesterday we saw a social engineering attack.

You can say: "We will never make a mistake here," but if there is an opportunity to do so, then this is a vulnerability.