Bitcoin Core

Disclosure of remote crash due to addr message spam

Wed, 31 Jul 2024 00:00:00 -0400

Disclosure of the details of an integer overflow bug which causes an assertion crash, a fix for which was released on September 14th, 2021 in Bitcoin Core version v22.0.

This issue is considered High severity.

Details

CAddrMan has a 32-bit nIdCount field that is incremented on every insertion into addrman, and which then becomes the identifier for the new entry. By getting the victim to insert 2³² entries (through e.g. spamming addr messages), this identifier overflows, which leads to an assertion crash.

Attribution

Credit goes to Eugene Siegel for discovering and disclosing the vulnerability, and to Pieter Wuille for fixing the issue in https://github.com/bitcoin/bitcoin/pull/22387.

Timeline

2021-06-21 - Initial report sent to security@bitcoincore.org by Eugene Siegel
2021-07-19 - Fix is merged (https://github.com/bitcoin/bitcoin/pull/22387)
2021-09-13 - v22.0 is released
2024-07-31 - Public disclosure

Disclosure of the impact of an infinite loop bug in the miniupnp dependency

Wed, 31 Jul 2024 00:00:00 -0400

Disclosure of the impact of an infinite loop bug in the miniupnp dependency on Bitcoin Core, a fix for which was released on September 14th, 2021 in Bitcoin Core version v22.0.

This issue is considered Low severity.

Details

Miniupnp, the UPnP library used by Bitcoin Core, would be waiting upon discovery for as long as it receives random data from a device on the network. In addition it would allocate memory for every new device information. An attacker on the local network could pretend to be a UPnP device and keep sending bloated M-SEARCH replies to the Bitcoin Core node until it runs out of memory.

Only users running with the -miniupnp option would have been affected by this bug as Miniupnp is otherwise turned off by default.

Attribution

Credit goes to Ronald Huveneers for reporting the infinite loop bug to the miniupnp project, and to Michael Ford (Fanquake) for the report to the Bitcoin Core project along with a PoC exploit to trigger an OOM and a pull request to bump the dependency (containing the fix).

Timeline

2020-09-17 - Initial report of infinite loop bug to miniupnp by Ronald Huveneers
2020-10-13 - Initial report sent to security@bitcoincore.org by Michael Ford
2021-03-23 - Fix is merged (https://github.com/bitcoin/bitcoin/pull/20421)
2021-09-13 - v22.0 is released
2024-07-31 - Public disclosure

Bitcoin Core 26.2 released

Tue, 09 Jul 2024 00:00:00 -0400

Bitcoin Core version 26.2 is now available for download. See the release notes for more information about the many bug fixes in this release.

If you have any questions, please stop by the #bitcoin IRC chatroom (IRC, web) and we’ll do our best to help you.

Disclosure of crash using malicious BIP72 URI

Wed, 03 Jul 2024 00:00:00 -0400

Bitcoin-Qt could crash upon opening a BIP72 URI.

This issue is considered Medium severity.

Details

BIP72 extends the BIP21 URI scheme with an r parameter to fetch a payment request from. An attacker could simply point the URL contained in the r parameter to a very large file, for which Bitcoin-Qt would try to allocate enough memory and crash.

The victim could get tricked into opening a rogue payment request. The large download would happen in the background with little to no output in the GUI until the application runs out of memory.

Attribution

Credits go to Michael Ford (Fanquake) for responsibly disclosing the issue and providing a PoC.

Timeline

2019-08-12 Michael Ford reports the bug to Cory Fields and Wladimir Van Der Laan
2019-10-16 Michael Ford opens PR #17165 to get rid of BIP70 support entirely
2019-10-26 Michael’s PR is merged into Bitcoin Core
2020-06-03 Bitcoin Core version 0.20.0 is released
2021-09-13 The last vulnerable Bitcoin Core version (0.19.x) goes EOL
2024-07-03 Public disclosure

Disclosure of DoS using huge GETDATA messages

Wed, 03 Jul 2024 00:00:00 -0400

A malformed GETDATA message could trigger an infinite loop on the receiving node, using 100% of the CPU allocated to this thread and not making further progress on this connection.

This issue is considered Low severity.

Details

Before Bitcoin Core 0.20.0, an attacker (or buggy client, even) could send us a GETDATA message that would cause our net_processing thread to start spinning at 100%, and not make progress processing messages for the attacker peer anymore. It would still make progress processing messages from other peers, so it is just a CPU DoS with low impact beyond that (not making progress for attacker peers is a non-issue). It also increases per-peer long-term memory usage up by 1.5 MB per attacker peer.

John Newbery opened PR #18808 to fix this issue by only disclosing the lack of progress.

Attribution

Credits to John Newbery for finding this bug, responsibly disclosing it and fixing it.

Timeline

2020-04-29 John Newbery opens #18808
2020-05-08 John Newbery reports his finding by email
2020-05-12 #18808 is merged
2020-06-03 Bitcoin Core version 0.20.0 is released with a fix
2021-09-13 The last vulnerable Bitcoin Core version (0.19.x) goes EOL
2024-07-03 Public disclosure.