Security Bug - Memory leak when calling a canister method via `ic_cdk::call`

Dear all,

We recently discovered a memory leak in the ic_cdk::call* implementation in @dfinity/cdk-rs. Canisters built in Rust with ic_cdk and ic_cdk_timers are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. In the worst case, this could lead to heap memory exhaustion triggered by an attacker.

This is a high severity security issue and the patch has been backported to all minor versions between >= 0.8.0, <= 0.15.0. The patched versions available are 0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1 and their previous versions have been yanked. Please see the GitHub Security Advisory for more information.

We encourage the ICP community to report any new issues or bugs found responsibly. Please refer to the Bug Bounty program for more information.

Please reach out to us in this thread or privately if you have any questions.

11 Likes

Sharing for visibility: According to this post, the security advisory on crates might contain a typo regarding the safest latest version, listing v16.0.0 instead of v0.16.0

my bad, too many versions. I have made a PR for the fix

1 Like

So…does ic-cdk-timers need to be updated? Or just ic-cdk? It’s confusing that both are listed by the advisory only mentions the ic-cdk crate.

Updating ic-cdk should be enough since ic-cdk-timers pulls in ic-cdk as a dependency.

Azle 0.24.1 and Kybra 0.7.0 both have the fix, please upgrade if this vulnerability concerns you. All Azle and Kybra devs should upgrade if performing cross-canister calls on mainnet, as the leak seems highly likely to affect you over time.

@lastmjs Thanks so much for fixing Azle and Kybra so quickly! Is there an easy way to let the Azle or Kybra users know they should upgrade? For example, thanks to the GitHub and RUSTSEC advisories for cdk-rs, GitHub or cargo audit would bring up the issue automatically if a Rust project depends on the lib. But I’m not sure that would be the case if someone uses Azle or Kybra?

1 Like

We mentioned it in the Discord channels and I let a couple devs know directly.

Azle could probably have this done through npm audit, but I haven’t ever submitted an advisory like this. Have you? I wonder if anyone can submit an advisory for a package on npm.

I’m not sure if PyPI has something like this.

Both projects are still in beta with a heavy exclaimer that specifically mentions security… though it does say unknown vulnerabilities, but I think the point gets across.

2 Likes

Actually, do you have the option of adding npm or PyPI packages to your security advisory? It seems like npm might pull from GitHub advisories.

It can be added in the same advisory but I feel it would be cleaner if you can replicate the advisory in Azle / Kybra repository since the higher level APIs affected are different between the CDKs and you would also be able to add more context for the developers. You can also refer the same CVE in the advisory.

Just for my understanding, how does Azle / Kybra integrate with ic_cdk ? Do you have your own implementation over the system APIs or do you call into ic_cdk via FFI and linkers? If it’s the latter, we will make sure we will loop you in asap in the future if there is a new vulnerability.

1 Like

We do not have our own implementation over the system APIs, we rely heavily on ic_cdk and other DFINITY Rust crates