Listen to this Post
The vulnerability resides in the signed-poll mechanism, specifically within the nonce cache implementation used to prevent replay attacks. The system employs an in-process Least Recently Used (LRU) cache, capped at 65,536 entries, to store nonces from previously seen signed-poll requests. This cache is designed to ensure that each request is unique and cannot be replayed by an attacker.
The core of the issue lies in the nonce cache’s volatility and its global, unbounded nature. When a signed-poll request is received, its nonce is checked against this in-memory LRU. If the nonce is not present, the request is considered valid and the nonce is stored. However, this cache is wiped clean upon any process restart, effectively forgetting all previously seen nonces. An attacker who has captured a valid signed-poll request can simply wait for a server restart and then replay the request, as the nonce will appear new to the freshly initialized cache.
Furthermore, the replay window is defined by a `pollClockSkew` of 5 minutes. This means a captured request is replayable for up to five minutes after its original timestamp, provided the server restarts within that window. The impact is magnified by the global nature of the LRU cache. An attacker with control over a single host can flood the system with >65,536 nonces under their own host_id, forcing the global LRU to evict the victim’s recorded nonce. This allows the attacker to replay the victim’s request even without a server restart.
The consequences of a successful replay are significant. A replayed poll fetches the `/api/v1/agent/updates` endpoint. If a rekey is pending, the response body can include a freshly-minted, single-use enrollment token. An attacker who successfully replays a request can intercept this token and redeem it under their own keypair, effectively compromising the enrollment process and gaining unauthorized access.
DailyCVE Form
Platform: Oasis Core
Version: v0.3.0 and earlier
Vulnerability: Replay Attack
Severity: Medium
date: 2026-06-26
Prediction: 2026-07-10
What Undercode Say: Analytics
The vulnerability’s root cause is the use of an in-memory, non-persistent cache for replay protection. This design choice introduces two primary attack vectors: process restarts and cache eviction. The following command can be used to simulate a cache flood, forcing the eviction of a specific nonce:
for i in {1..70000}; do curl -X POST https://target/api/v1/agent/poll -d "host_id=attacker&nonce=$i"; done
This command sends 70,000 poll requests with unique nonces, filling the LRU cache and potentially evicting the victim’s entry. Once the cache is flooded, the attacker can replay the victim’s captured request:
curl -X POST https://target/api/v1/agent/poll -d "host_id=victim&nonce=original_nonce×tamp=original_timestamp"
The success of this replay depends on the original timestamp being within the 5-minute `pollClockSkew` window. The following Go code snippet illustrates the vulnerable cache implementation:
// internal/api/pop/nonce.go
var nonceCache = lru.New(65536) // Global, in-memory LRU
func checkNonce(hostID, nonce string) bool {
key := hostID + ":" + nonce
if _, ok := nonceCache.Get(key); ok {
return false // Nonce already seen, reject
}
nonceCache.Add(key, struct{}{})
return true
}
Exploit
An attacker can exploit this vulnerability through the following steps:
1. Capture: Intercept a valid signed-poll request from a victim host. This request must be within the 5-minute `pollClockSkew` window.
2. Flood: If the server does not restart, the attacker can flood the global LRU cache with their own nonces. By sending more than 65,536 requests, they can force the eviction of the victim’s nonce.
3. Replay: Once the cache is cleared (either by restart or eviction), the attacker replays the captured request. The system, having no record of the nonce, accepts it as valid.
4. Token Theft: The replayed poll fetches the `/api/v1/agent/updates` endpoint. If a rekey is pending, the response includes a single-use enrollment token. The attacker can then use this token to enroll their own device, gaining unauthorized access.
Protection
To mitigate this vulnerability, the following fixes are recommended:
Option 1 (Robust): Persist nonces in a SQLite database, keyed by (host_id, nonce), with an `ON CONFLICT DO NOTHING` clause. This ensures nonces are remembered across restarts and are not subject to eviction by a single host. The data should be retained for the duration of the timestamp-skew window (e.g., 5 minutes).
Option 2 (Lower Effort): Implement a per-host cap on the LRU cache instead of a global 65k cap. This prevents one host from evicting another’s records. Additionally, reduce the `pollClockSkew` to ≤30 seconds to shorten the replay window after a restart.
Impact
The impact of this vulnerability is bounded but significant. A successful replay attack allows an attacker to:
Intercept a single-use enrollment token intended for a legitimate host.
Redeem this token under their own keypair, effectively bypassing the normal enrollment process.
Gain unauthorized access to the system with the privileges of the compromised host.
The attack does not allow for arbitrary code execution or direct data manipulation, but it enables a sophisticated authentication bypass that can lead to further compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
