2 months ago
Bitcoin Core developers person historically disclosed conscionable 10 vulnerabilities affecting older bundle versions, arsenic reported by Bitcoin Optech. The vulnerabilities, fixed successful much caller releases, could person allowed assorted attacks connected nodes moving outdated Bitcoin Core versions.
The vulnerabilities are applicable fixed that Bitcoin Core developers precocious introduced a new information disclosure policy to amended transparency and connection regarding vulnerabilities. Historically, the task has faced disapproval for inadequate nationalist disclosure of security-critical bugs, starring to a cognition that Bitcoin Core is escaped of bugs.
Libbitcoin developer Eric Voskuil wrote, successful a connection to the Bitcoin mailing list, that this cognition is misleading and perchance hazardous, arsenic it underestimates the risks of moving outdated bundle versions.
Active Bitcoin node vulnerabilities
CryptoSlate has analyzed progressive Bitcoin nodes to place however galore are presently susceptible to each onslaught vector. Roughly 787 (5.94%) retired of 14,001 nodes tally versions older than 0.21.0.
This fig is important capable to beryllium considered a occupation the Bitcoin assemblage whitethorn request to address. Efforts tin beryllium made to promote these node operators to upgrade to newer versions to heighten the Bitcoin network’s wide security, efficiency, and aboriginal readiness.
While not an contiguous captious issue, it is undoubtedly a interest that warrants attention. It’s not an existential menace to Bitcoin, arsenic astir of the web inactive runs up-to-date software. However, it represents a non-trivial information of the web that could origin issues oregon beryllium exploited nether definite circumstances. It indicates a request for amended connection and incentives wrong the Bitcoin assemblage to promote much predominant updates.
Risks for progressive Bitcoin nodes
| Remote codification execution owed to a bug successful miniupnpc (CVE-2015-6031) | Before 0.11.1 | 22 |
| Node clang DoS from aggregate peers with ample messages (CVE-2015-3641) | Before 0.10.1 | 5 |
| Censorship of unconfirmed transactions | Before 0.21.0 | 787 |
| Unbound prohibition database CPU/memory DoS (CVE-2020-14198) | Before 0.20.1 | 185 |
| Netsplit from excessive clip adjustment | Before 0.21.0 | 787 |
| CPU DoS and node stalling from orphan handling | Before 0.18.0 | 70 |
| Memory DoS from ample inv messages | Before 0.20.0 | 182 |
| Memory DoS utilizing low-difficulty headers | Before 0.15.0 | 29 |
| CPU-wasting DoS owed to malformed requests | Before 0.20.0 | 182 |
| Memory-related clang successful attempts to parse BIP72 URIs | Before 0.20.0 | 182 |
Per the disclosure, the astir wide vulnerability affected versions anterior to 0.21.0, perchance impacting 787 nodes. This flaw could alteration censorship of unconfirmed transactions and origin netsplits owed to excessive clip adjustments.
Three abstracted vulnerabilities affected versions earlier 0.20.0, each perchance impacting 182 nodes. These included a representation DoS from ample inv-messages, a CPU-wasting DoS from malformed requests, and a memory-related clang erstwhile parsing BIP72 URIs.
An unbound prohibition database CPU/memory DoS vulnerability (CVE-2020-14198) affected versions anterior to 0.20.1, perchance putting 185 nodes astatine risk. Earlier versions were susceptible to different attacks, specified arsenic a CPU DoS and node stalling from orphan handling (before 0.18.0, affecting 70 nodes) and a representation DoS utilizing low-difficulty headers (before 0.15.0, impacting 29 nodes).
The oldest vulnerabilities disclosed included a distant codification execution bug successful miniupnpc (CVE-2015-6031) affecting versions earlier 0.11.1 and a node clang DoS from ample messages (CVE-2015-3641) successful versions anterior to 0.10.1. These affected 22 and 5 nodes, respectively, indicating that precise fewer are inactive moving specified outdated software.
New Bitcoin developer disclosure policy
The new policy categorizes vulnerabilities into 4 severity levels: low, medium, high, and critical. Low-severity bugs, which are hard to exploit oregon person minimal impact, volition beryllium disclosed 2 weeks aft a fixed mentation is released, with a pre-announcement made simultaneously.
Medium and high-severity bugs, which person much important impacts, volition beryllium disclosed 2 weeks aft the past affected merchandise reaches its end-of-life (EOL), typically 1 twelvemonth aft the fixed mentation is archetypal released. A pre-announcement volition beryllium made 2 weeks earlier disclosure. Critical bugs threatening the network’s integrity volition necessitate an ad-hoc disclosure procedure.
The argumentation volition beryllium implemented gradually. All vulnerabilities fixed successful Bitcoin Core versions 0.21.0 and earlier volition beryllium disclosed immediately. In July, vulnerabilities fixed successful mentation 22.0 volition beryllium disclosed, followed by those fixed successful mentation 23.0 successful August. This process volition proceed until each EOL versions person been addressed.
This inaugural aims to acceptable wide expectations for information researchers, incentivizing them to find and responsibly disclose vulnerabilities. By making information bugs disposable to a broader radical of contributors, the argumentation seeks to forestall aboriginal issues and heighten the wide information of the Bitcoin network.
Per the Bitcoin Development Mailing List, the policy’s gradual adoption volition let the assemblage to set and supply feedback connected its impact.
Node operators inactive utilizing affected versions are powerfully advised to upgrade to the latest merchandise to mitigate these imaginable risks.
The station 6% of Bitcoin nodes moving outdated bundle susceptible to exploits appeared archetypal connected CryptoSlate.
English (US) 