Geth Security Release | Ethereum Foundation Blog

Summary

Versions of get built with Go <1.15.5 Or <1.14.12 are most likely affected by a critical DoS-related security vulnerability. The Golang team registered this flaw as “CVE-2020-28362”.

We recommend all users to rebuild (ideally v1.9.24) with Go 1.15.5 Or 1.14.12to avoid node failures. Alternatively, if you are using binaries distributed through one of our official channels, we will release v1.9.24 built ourselves with Go 1.15.5.

Docker images will most likely be deprecated due to a missing base image, but you can check the release notes to learn how to temporarily create one with Go. 1.15.5. Please run geth version to check the Go version your binary was built with.

Background

At the beginning of October, Go-Ethereum signed up for the Google program OSS-Fuzz program. We previously ran fuzzers on an ad hoc basis and tested different platforms.

On 10/24/2020, we were informed that one of our fuzzers had detected a crash.

After investigation, it turned out that the root cause of the problem was a bug in Go’s standard libraries, and the problem was reported upstream.

Special thanks to Adam Korczynski from Ada Logics for the initial integration of go-ethereum into OSS-Fuzz!

Impact

The DoS glitch can be used to crash all Geth nodes while processing blocks, which would effectively take a large portion of the Ethereum network offline.

Outside of Go-Ethereum, the issue is most likely relevant to all forks of Geth (such as TurboGeth or ETC’s core-geth). For even broader context, we would say upstream, because the Go team has conducted an investigation of potentially affected parties.

Chronology

2020-10-24: OSS-fuzz crash report
2020-10-25: Investigation revealed that this was due to a flaw in Go. Details sent to security@golang.org
2020-10-26: Acknowledgment of receipt from upstream, investigation in progress
2020-10-26 — 2020-11-06: Potential fixes discussed, upstream investigation of potentially affected parties
11/06/2020: Upstream patch release tentatively scheduled for 11/12/2020
09/11/2020: Upstream pre-announced the security release: https://groups.google.com/g/golang-announce/c/kMa3eup0qhU/m/O5RSMHO_CAAJ
2020-11-11: users informed of the upcoming release via the official Geth twitter accountour official Discord channel and Reddit.
2020-11-12: A new version of Go has been released, and new get binaries have been released

Additional problems

Mining Rift

Another security issue has been brought to our attention via this PRcontaining a fix for the ethash algorithm.

The mining flaw could cause miners to mistakenly calculate PoW in an era to come. This happened on the ETC channel on 06/11/2020. It looks like this would pose a problem for the ETH mainnet around the block 11550000 / era 385which will take place in early January 2021.

This issue is also resolved from 1.9.24. This issue only affects miners, non-mining nodes are not affected.

Geth Shallow Copy Bug

Affected: 1.9.7 – 1.9.16

Fixed: 1.9.17

Type: Consensus vulnerability

On 07/15/2020, John Youngseok Yang (Software Platform Lab) reported a consensus vulnerability in Geth.

Geth is precompiled data copy (0x00…04) The contract made a shallow copy when summoned, while Parity’s made a deep copy. An attacker could deploy a contract that

writing X to an EVM memory region A.,
calls 0x00..04 with A. as an argument,
crushed A. has Yes,
and finally invokes the COPY OF RETURN DATA opcode.
When this contract was invoked, Parity would push X on the EVM stack, while Geth would push Yes.

Consequences

This was mined on Ethereum Mainnet at the block 11234873operation 0x57f7f9. Knots were removed from the network, resulting in the loss of around 30 blocks on a sidechain. This also led to the abandonment of Infura, which caused problems for many people and services that relied on Infura as a back-end provider.

More context can be found in the autopsy of Geth And Postmortem infura And here.

DoS in .16 And .17

Affected: v1.9.16,v1.9.17

Fixed: v1.9.18

Type: DoS vulnerability during block processing

A DoS vulnerability was found and fixed in v1.9.18. We have chosen not to publish details at this time.

Recommendations

In the short term, we recommend that all users upgrade to get version v1.9.24 (which should be built with Go 1.15.5) immediately. Official versions can be found here.

If you are using Geth through Docker there might be some issues. If you use Ethereum/client-gothere are two things to know:

There may be a delay before the new image appears on the Docker Hub.
Unless the Go base images were built fairly quickly, it’s possible that they were built with a vulnerable version of Go.

If you create Docker images yourself (via docker build. from the repository root), the second issue might also give you problems.

So be careful that Go 1.15.5 is used as the base image.

In the long term, we recommend that users and miners also look for alternative clients. We strongly believe that the resilience of the Ethereum network should not depend on the implementation of a single client. There is Bésu, Void Spirit, OpenEthereum And TurboGeth and others to choose from as well.

Please report security vulnerabilities via https://bounty.ethereum.orgor via bounty@ethereum.org or via security@ethereum.org.

Source link

Categories

Hand picked

Inverted Head and Shoulders Pattern Indicates ETH to Hit $12,000

Bitcoin ETFs saw $338 million in outflows on Christmas Eve

Ethereum Whales Bought $1B worth of ETH in the Last 96 Hours – Details

Another parabolic rally on the way for Dogecoin if history repeats itself, says crypto strategist – here is his outlook

Whale dumps WIF, BONK for Fartcoin – Is memecoin AI set up for extra earnings?

Top analyst now sees window of opportunity for Bitcoin and Altcoins to emerge – but there’s a catch