Attention Agoric Validators and Node Operators
We were notified of a Cosmovisor issue that affects versions < v1.0.0 that may result in a denial of service or remote code execution.
This is not a vulnerability in the Agoric chain, but we wish to make it known to members of our community who have manually installed and are using an affected Cosmovisor.
How to tell if I am affected?
As described in the security advisory, running the following command will output whether your cosmovisor is vulnerable to this issue:
Vulnerable to this issue:
strings ./cosmovisor | grep -q "NEEDED at" && echo "vulnerable" || echo "NOT vulnerable"
vulnerable
NOT vulnerable to this issue:
strings ./cosmovisor_new | grep -q "NEEDED at" && echo "vulnerable" || echo "NOT vulnerable"
NOT vulnerable
The issue
A validator or full node utilizing an affected version of Cosmovisor, with DAEMON_ALLOW_DOWNLOAD_BINARIES enabled, is vulnerable to an attacker triggering remote code execution on the host.
Recommendations
Install a version of Cosmovisor at v1.0.0 or newer to mitigate this issue:
go install github.com/cosmos/cosmos-sdk/cosmovisor/cmd/cosmovisor@v1.0.0
NOTE: We never recommend validators to use DAEMON_ALLOW_DOWNLOAD_BINARIES for security reasons (beyond just this vulnerability) as per the official Cosmovisor documentation. Consider instead manually checking out and building the Agoric SDK. Then, place the SDK where Cosmovisor can find it in advance of the software upgrade.
References
Contact security@agoric.com to report any security issues affecting the Agoric community.
GitHub Security Advisory: Amulet Security Advisory, Cosmovisor: ASA-2023-001 · Advisory · cosmos/cosmos-sdk · GitHub
Cosmos Hub post: Amulet Security Advisory for Cosmovisor: ASA-2023-001 - Security - Cosmos Hub Forum