Attention Agoric Validators and Node Operators
We were notified of a Cosmovisor issue that affects versions < v1.0.0 that may result in a denial of service or remote code execution.
This is not a vulnerability in the Agoric chain, but we wish to make it known to members of our community who have manually installed and are using an affected Cosmovisor.
As described in the security advisory, running the following command will output whether your cosmovisor is vulnerable to this issue:
Vulnerable to this issue:
strings ./cosmovisor | grep -q "NEEDED at" && echo "vulnerable" || echo "NOT vulnerable" vulnerable
NOT vulnerable to this issue:
strings ./cosmovisor_new | grep -q "NEEDED at" && echo "vulnerable" || echo "NOT vulnerable" NOT vulnerable
A validator or full node utilizing an affected version of Cosmovisor, with DAEMON_ALLOW_DOWNLOAD_BINARIES enabled, is vulnerable to an attacker triggering remote code execution on the host.
Install a version of Cosmovisor at v1.0.0 or newer to mitigate this issue:
go install firstname.lastname@example.org
NOTE: We never recommend validators to use DAEMON_ALLOW_DOWNLOAD_BINARIES for security reasons (beyond just this vulnerability) as per the official Cosmovisor documentation. Consider instead manually checking out and building the Agoric SDK. Then, place the SDK where Cosmovisor can find it in advance of the software upgrade.
Contact email@example.com to report any security issues affecting the Agoric community.
GitHub Security Advisory: Amulet Security Advisory, Cosmovisor: ASA-2023-001 · Advisory · cosmos/cosmos-sdk · GitHub