Consensys Discovery Nonce Reuse

Vulnerability

Description

Consensys Discovery versions before 0.4.5 implement AES/GCM encryption for peer-to-peer communication. According to cryptographic standards, the nonce used in AES/GCM must be unique for each encrypted message. However, the library reuses the same nonce throughout the entire session, violating this requirement [1][3]. This flaw allows an attacker who observes multiple encrypted messages to recover the session key.

Exploitation

The attack is purely passive and requires no authentication or special network position. An attacker simply needs to intercept network traffic between two peers using Discovery. By capturing multiple ciphertexts encrypted with the same nonce and key, the attacker can compute the session key [3][4]. The session key is derived from the peer communication and is distinct from the node's private key.

Impact

With the compromised session key, the attacker can decrypt all messages within that session and forge new encrypted messages, potentially impersonating one peer or injecting malicious data. However, the node's long-term private key remains secure, so the ENR (Ethereum Node Record) cannot be altered [1][3]. The exposure is limited to the specific peer session, but it undermines the confidentiality and integrity of communications.

Mitigation

The issue has been addressed in Consensys Discovery version 0.4.5 [2][4]. Users are strongly advised to upgrade to this or later versions. No workaround is available; the fix ensures each message uses a unique nonce as per the Discovery v5 specification [3].