[Lightning-dev] CVEs assigned for lightning projects: please upgrade!

[Baofeng]

[Lightning-dev] CVEs assigned for lightning projects: please upgrade!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Security issues have been found in various lightning projects which
could cause loss of funds.

Full details will be released in 4 weeks (2019-09-27), please uprade
well before then.

Effected releases:

    CVE-2019-12998 c-lightning < 0.7.1
    CVE-2019-12999 lnd < 0.7
    CVE-2019-13000 eclair <= 0.3

Cheers,
Rusty.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEFe6NbKsOfwz5mb/L2SAObNGtuPEFAl1o7UAACgkQ2SAObNGt
uPFR7xAAqlcY/gCzfx5Sl49BwLIvr5EZlKYxasIoU4FoiAxLN0sRMksBLY+gUA3L
7XuPi7oJSsnJc0Gvq6DnWo8W/jqAETgK0XeCyESdtX1tLeXMEiCoAXccRBT/hNbr
aHRiyeRO6YnrfzJN2CKStzXUvoVEvyB4lpMZ+dTJYdulOUs20ELU/zzSQe/syGnD
7kujvBVyk4LJIYQ9piGl1pc4Y8mORK2ttYCVk4HCy+eu1RGHRVze135ve2MhQVOd
Mzs57lqXM8k+ZUumD5eB6pgvENlFzgFVaywYvf7+RSZIx185qosHTbQU84icyunp
W68FhCk9DMUYlhU8lBVyX1qS1+YhBYvm79zK4lCSJ9CQBZ2Oox2tz9RuO/3DPSol
RCZ3+h8SCKai8ZASXhz4dL4nXSpdKNjJrQdRvp7I1e2netkZpaF2Dyd7FDvFnhad
SWP/juo/n9rmkyfbuxQYj5sdixV9G9cpV85BnQDX558r+AMRPVin/xs5NBZMknkN
S7Wc9aq8nlVUeoTV5+TnGbz8NPXyYLNSotJdwBnA+RWTD9emCBah3UOxVlJR7N5e
nZuumPauLJyZESzxvRDgQ0Hca7hMCMBh+xJ/OFDy+n4oHxFLihCtY3EktSE43v2N
+PXbLFXw9w7jSPxn5FgqzB9D/E/eqkLe/+UKsnQ0ji8trEd36DU=
=Z6RL
-----END PGP SIGNATURE-----

https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-August/002130.html

[Baofeng]

It's been confirmed that is has been exploited already:

We've confirmed instances of the CVE being exploited in the wild.  If you’re
not on the following versions of either of these implementations (these
versions are fully patched), then you need to upgrade now to avoid risk of
funds loss:
    * lnd v0.7.1 -- anything 0.7 and below is vulnerable
    * c-lightning v0.7.1 -- anything 0.7 and below is vulnerable
    * eclair v0.3.1 -- anything 0.3 and below is vulnerable

We'd also like to remind the community that we still have limits in place on
the network to mitigate widespread funds loss, and please keep that in mind
when putting funds onto the network at this early stage.

https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002148.html

[DaveF]

It's been confirmed that is has been exploited already:

https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002148.html

So in the link posted above:

We've confirmed instances of the CVE being exploited in the wild.  If you’re
not on the following versions of either of these implementations (these
versions are fully patched), then you need to upgrade now to avoid risk of
funds loss:
    * lnd v0.7.1 -- anything 0.7 and below is vulnerable
    * c-lightning v0.7.1 -- anything 0.7 and below is vulnerable
    * eclair v0.3.1 -- anything 0.3 and below is vulnerable

But in the actual "release" of the vulnerability (It had been discussed for a while on some hacker sites and at DefCon)

https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002174.html

They put this in the timeline:

2019-09-07: First conclusive evidence of exploit attempt in the wild.

While having this in the text above it:

While this long-standing bug had not been independently discovered, and thus
was unlikely to be discovered by a malicious party before being fixed, it did
provide an opportunity to test communications and methods of upgrade across
the entire lightning ecosystem.

That's some really good doublethink.

-Dave