Years old vulnerability finally revealed to the public upon rediscovery after being patched for two years. A protocol engineer by profession, Javed Khan, rediscovered a vulnerability during the Decred Bug Bounty program, an open program aimed to find bugs in the software which led the vulnerability to be disclosed to the world, which was rather kept secret for safety reasons.
Two years ago, a Bitcoin Protocol Engineer, a security engineer at Bcoin named Braydon G. Fuller, found a vulnerability that allowed an uncontrolled memory resource consumption, which could be exploited to perform a Denial Of Service(DoS) attack.
In June 2018, vulnerability named Inventory Out-Of-Memory Denial-Of-Service (INVDOS)
was found in the peer-to-peer network node of three implementations of Bitcoin and some of their alternative chains.
Bitcoin Core, an open-source project providing free bitcoin client software, Bcoin, which provides Bitcoin and Blockchain libraries, and btcd, which is a full node bitcoin implementation, were the implementations reportedly affected by the vulnerability. In contrast, Litecoin and Namecoin, alternatives of Bitcoin Core, were also affected.
The researchers kept the details of the bug private for two years in order to avoid any potential threat actor to exploit it; the details were finally made public after the issue reappeared under the research of an independent engineer in another bitcoin node.
The exploitation of the vulnerability could have been done by flooding a user by sending many inv non-existent transactions using random hashes, leading to overuse of resources and causing a Denial of Service attack(DoS), which can be escalated to DDoS as well.
According to the reports, anyone with a peer to peer connection and the internet could exploit the vulnerability. The attack was capable of shutting down the entire network in case 100% of the nodes would have been vulnerable. At the time of discovery, 50% of nodes were already vulnerable.
It could have caused in loss of mining time or/and over-expenditure of electricity, which could cause in loss of time-sensitive contracts or prohibiting economic activities. However, upon analyzing the vulnerability was found to be incapable of exploitation enough for stealing bitcoins.
Bitcoin Core v0.16.0 or v0.16.1, Bitcoin Knots v0.16.0, Bcoin v1.0.0-pre and earlier, Btcd v0.20.1-beta and earlier, Litecoin Core v0.16.0, Namecoin Core v0.16.1, Dcrd v1.5.1 and earlier are the vulnerable software which are advised to be updated at priority.
Fortunately, the vulnerability introduced on November 15, 2017, with a pull request in Bitcoin Core and discovered during testing in 2018, was reportedly not even exploited once.
The vulnerability, patched on the same day of discovery rediscovered in deCRED, an open-source project associated with btcd on June 26, 2020, which is patched now, reported Javed Khan, who discovered the vulnerability. This time 100% of the nodes were vulnerable
The vulnerability is analyzed to be dangerous. It could “contribute to loss of funds and revenue,” said Fuller.
To protect one from this vulnerability, it is advised to update the software to the latest versions and update any bug fixes.
For full details, including technical details of the impact on different software, list of vulnerable versions, and list of recommended versions, visit here