<\/p>\n
<\/p>\n
Versions of geth<\/span> compiled with Go or are likely to be impacted by a severe DoS-related security flaw. The golang team has documented this vulnerability as ‘CVE-2020-28362’.<\/span><\/span><\/p>\n <\/p>\n We advise all users to recompile (preferably v1.9.24<\/span>) using Go 1.15.5<\/span> or 1.14.12<\/span>, in order to prevent node failures. Alternatively, if you’re utilizing binaries provided through our official channels, we will release v1.9.24<\/span> ourselves compiled with Go 1.15.5<\/span>.<\/p>\n <\/p>\n Docker images may be outdated due to a missing base image; however, you can consult the release notes on how to temporarily construct one with Go 1.15.5<\/span>. Please execute geth version<\/span> to confirm the Go version your binary was compiled with.<\/p>\n <\/p>\n <\/p>\n In early October, go-ethereum joined Google’s OSS-Fuzz<\/a> initiative. We had previously run fuzzers on an exceptional basis and evaluated various platforms.<\/p>\n <\/p>\n On 2020-10-24, we received information that one of our fuzzers had detected a crash.<\/p>\n <\/p>\n Upon further inspection, it was revealed that the underlying cause of the problem was a bug in the standard libraries of Go, which has been reported upstream.<\/p>\n <\/p>\n Our sincere appreciation goes to Adam Korczynski<\/a> from Ada Logics for initially integrating go-ethereum into OSS-Fuzz!<\/p>\n <\/p>\n <\/p>\n The DoS vulnerability could potentially crash all Geth nodes during block processing, resulting in a significant portion of the Ethereum network going offline.<\/p>\n <\/p>\n Aside from Go-Ethereum, this flaw is likely pertinent to all forks of Geth (such as TurboGeth or ETC’s core-geth). For a broader context, we recommend referring to the upstream, as the Go team has conducted an investigation into potentially impacted parties.<\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n Another security concern was indicated to us through this PR<\/a>, which includes a correction to the ethash algorithm.<\/p>\n <\/p>\n The mining flaw could lead to miners mistakenly computing PoW in an upcoming epoch. This incident occurred on the ETC chain on 2020-11-06. It appears that this might become an issue for the ETH mainnet around block 11550000<\/span> \/ epoch 385<\/span>, expected to take place in early January 2021.<\/p>\n <\/p>\n This issue has been resolved as of 1.9.24<\/span>. It is relevant solely for miners; non-mining nodes remain unaffected.<\/p>\n <\/p>\n <\/p>\n Impacted: 1.9.7<\/span> – 1.9.16<\/span><\/p>\n <\/p>\n Resolved: 1.9.17<\/span><\/p>\n <\/p>\n Type: Consensus vulnerability<\/p>\n <\/p>\n On 2020-07-15, John Youngseok Yang (Software Platform Lab) reported a consensus vulnerability in Geth.<\/p>\n <\/p>\n Geth’s pre-compiled dataCopy(0x00…04)<\/span> contract performed a shallow copy on invocation, while Parity’s executed a deep copy. An attacker could deploy a contract that<\/p>\n <\/p>\n <\/p>\n <\/p>\n This was leveraged on Ethereum Mainnet at block 11234873<\/a>, transaction 0x57f7f9<\/a>. Nodes <\/p>\n Further details can be found in the Geth post-mortem<\/a> as well as Infura post-mortem<\/a> and here<\/a>.<\/p>\n <\/p>\n <\/p>\n Impacted: v1.9.16<\/span>,v1.9.17<\/span><\/p>\n <\/p>\n Resolved: v1.9.18<\/span><\/p>\n <\/p>\n Category: DoS flaw during block processing<\/p>\n <\/p>\n A DoS flaw was discovered and rectified in v1.9.18<\/span>. We have opted not to disclose the specifics at this juncture.<\/p>\n <\/p>\n <\/p>\n In the immediate term, we advise all users to upgrade to geth<\/span> version v1.9.24<\/span> (which should be constructed with Go 1.15.5<\/span>) without delay. Official distributions can be located here<\/a>.<\/p>\n <\/p>\n If you are utilizing Geth through Docker, there may be several issues. If you are employing ethereum\/client-go<\/span>, there are a couple of considerations to be aware of:<\/p>\n <\/p>\n <\/p>\n If you are constructing Docker images independently, (via docker build .<\/span> from the repository root), then the secondary issue may also pose challenges for you.<\/p>\n <\/p>\n Therefore, ensure that Go 1.15.5<\/span> is utilized as the base image.<\/p>\n <\/p>\n In the long run, we suggest that users and miners explore alternative clients as well. We firmly believe that the resilience of the Ethereum network should not rely on any single client implementation. <\/p>\n Please report security vulnerabilities either through https:\/\/bounty.ethereum.org<\/a>, or via bounty@ethereum.org<\/a> or through security@ethereum.org<\/a>.<\/p>\n<\/div>\nContext<\/h2>\n
Effect<\/h2>\n
Chronology<\/h2>\n
\n
Further issues<\/h2>\n
Mining vulnerability<\/h3>\n
Geth shallow copy flaw<\/h3>\n
\n
Outcomes<\/h4>\n
DoS in .16<\/span> and .17<\/span><\/h3>\n
Recommendations<\/h2>\n
\n
\nThere are Besu<\/a>, Nethermind<\/a>, OpenEthereum<\/a> and TurboGeth<\/a> along with others to choose from as well.<\/p>\n