Close Menu
    Track all markets on TradingView
    Ethereum

    Geth Security Update: Enhancements from the Ethereum Foundation

    wsjcryptoBy Nessun commento5 Mins Read

    Overview

    Versions of geth compiled with Go or are likely to be impacted by a severe DoS-related security flaw. The golang team has documented this vulnerability as ‘CVE-2020-28362’.

    We advise all users to recompile (preferably v1.9.24) using Go 1.15.5 or 1.14.12, in order to prevent node failures. Alternatively, if you’re utilizing binaries provided through our official channels, we will release v1.9.24 ourselves compiled with Go 1.15.5.

    Docker images may be outdated due to a missing base image; however, you can consult the release notes on how to temporarily construct one with Go 1.15.5. Please execute geth version to confirm the Go version your binary was compiled with.

    Context

    In early October, go-ethereum joined Google’s OSS-Fuzz initiative. We had previously run fuzzers on an exceptional basis and evaluated various platforms.

    On 2020-10-24, we received information that one of our fuzzers had detected a crash.

    Upon further inspection, it was revealed that the underlying cause of the problem was a bug in the standard libraries of Go, which has been reported upstream.

    Our sincere appreciation goes to Adam Korczynski from Ada Logics for initially integrating go-ethereum into OSS-Fuzz!

    Effect

    The DoS vulnerability could potentially crash all Geth nodes during block processing, resulting in a significant portion of the Ethereum network going offline.

    Aside from Go-Ethereum, this flaw is likely pertinent to all forks of Geth (such as TurboGeth or ETC’s core-geth). For a broader context, we recommend referring to the upstream, as the Go team has conducted an investigation into potentially impacted parties.

    Chronology

    • 2020-10-24: Crash report received from OSS-fuzz
    • 2020-10-25: Investigation confirmed it was due to a defect in Go. Details forwarded to security@golang.org
    • 2020-10-26: Acknowledgment from upstream, investigation ongoing
    • 2020-10-26 — 2020-11-06: Potential solutions discussed, upstream inquiry into possibly affected parties
    • 2020-11-06: Upstream tentatively set a fix-release date for 2020-11-12
    • 2020-11-09: Upstream pre-announced the security release: https://groups.google.com/g/golang-announce/c/kMa3eup0qhU/m/O5RSMHO_CAAJ
    • 2020-11-11: Users were informed about the impending release via the official Geth twitter account, our official Discord channel, and Reddit.
    • 2020-11-12: Updated Go version released, along with new geth binaries.

    Further issues

    Mining vulnerability

    Another security concern was indicated to us through this PR, which includes a correction to the ethash algorithm.

    The mining flaw could lead to miners mistakenly computing PoW in an upcoming epoch. This incident occurred on the ETC chain on 2020-11-06. It appears that this might become an issue for the ETH mainnet around block 11550000 / epoch 385, expected to take place in early January 2021.

    This issue has been resolved as of 1.9.24. It is relevant solely for miners; non-mining nodes remain unaffected.

    Geth shallow copy flaw

    Impacted: 1.9.71.9.16

    Resolved: 1.9.17

    Type: Consensus vulnerability

    On 2020-07-15, John Youngseok Yang (Software Platform Lab) reported a consensus vulnerability in Geth.

    Geth’s pre-compiled dataCopy(0x00…04) contract performed a shallow copy on invocation, while Parity’s executed a deep copy. An attacker could deploy a contract that

    • writes X to an EVM memory region R,
    • calls 0x00..04 with R as an input,
    • overwrites R to Y,
    • and finally executes the RETURNDATACOPY opcode.
    • When this contract is executed, Parity would push X onto the EVM stack, whereas Geth would push Y.

    Outcomes

    This was leveraged on Ethereum Mainnet at block 11234873, transaction 0x57f7f9. Nodes were removed from the network, resulting in approximately 30 blocks being lost on a sidechain. This incident also caused Infura to disconnect, leading to issues for numerous individuals and services reliant on Infura as a backend service provider.

    Further details can be found in the Geth post-mortem as well as Infura post-mortem and here.

    DoS in .16 and .17

    Impacted: v1.9.16,v1.9.17

    Resolved: v1.9.18

    Category: DoS flaw during block processing

    A DoS flaw was discovered and rectified in v1.9.18. We have opted not to disclose the specifics at this juncture.

    Recommendations

    In the immediate term, we advise all users to upgrade to geth version v1.9.24 (which should be constructed with Go 1.15.5) without delay. Official distributions can be located here.

    If you are utilizing Geth through Docker, there may be several issues. If you are employing ethereum/client-go, there are a couple of considerations to be aware of:

    1. There could be a lag before the new image is visible on Docker Hub.
    2. Unless the Go base images are created swiftly, there is a possibility that they become built with a vulnerable version of Go.

    If you are constructing Docker images independently, (via docker build . from the repository root), then the secondary issue may also pose challenges for you.

    Therefore, ensure that Go 1.15.5 is utilized as the base image.

    In the long run, we suggest that users and miners explore alternative clients as well. We firmly believe that the resilience of the Ethereum network should not rely on any single client implementation.
    There are Besu, Nethermind, OpenEthereum and TurboGeth along with others to choose from as well.

    Please report security vulnerabilities either through https://bounty.ethereum.org, or via bounty@ethereum.org or through security@ethereum.org.





    Source link

    Share.

    Related Posts

    Add A Comment

    Comments are closed.