summary
version Guess Built in Go <1.15.5 or <1.14.12 You are likely to be affected by serious DoS-related security vulnerabilities. The golang team has registered this flaw as ‘CVE-2020-28362’.
We recommend a rebuild to all users (ideally v1.9.24) with Go 1.15.5 or 1.14.12, prevent node collisions. or if you are running a binary distributed through one of the official channels; v1.9.24 We are made with Go 1.15.5.
Your Docker image is likely out of date due to missing base images, but you can check the release notes on how to build it temporarily using Go. 1.15.5. Please run geth version Check which version of Go the binary was built with.
background
In early October, Gothereum was registered on Google. OSS-Fuzz program. We’ve previously run the fuzzer on an ad-hoc basis and tested a few different platforms.
On October 24, 2020, we received notification that one of our fuzzers had discovered a conflict.
Investigation revealed that the root cause of the issue was a bug in the Go standard library, and the issue was reported upstream.
Special thanks Adam Korzinski This is the work of Ada Logics, who first integrated Go-ethereum into OSS-Fuzz!
effect
DoS issues can be used to crash all Geth nodes during block processing, resulting in major parts of the Ethereum network going offline.
Outside of Go-Ethereum, this issue is likely to be relevant to any fork of Geth (e.g. TurboGeth or ETC’s core-geth). For broader context, I’ll refer to upstream, as the Go team has conducted research on potentially affected parties.
timeline
- 2020-10-24: Crash report from OSS-fuzz
- 2020-10-25: Investigation revealed that this was caused by a flaw in Go. Details have been sent to: security@golang.org
- 2020-10-26: Approved from upstream, investigation in progress
- 2020-10-26 — 2020-11-06: Potential fixes discussed, upstream investigation for potentially affected parties.
- 2020-11-06: Fix release tentatively scheduled for upstream on 2020-11-12
- 2020-11-09: Upstream pre-announced a security release. https://groups.google.com/g/golang-announce/c/kMa3eup0qhU/m/O5RSMHO_CAAJ
- 2020-11-11: Official Geth Twitter informed users about the upcoming release. accountOfficial Discord Channel and reddit.
- 2020-11-12: A new Go version has been released. Guess Binaries have been released
Additional issues
mining glitch
Another security issue came to our attention through: this promotionContains fixes to the ethash algorithm.
A mining flaw may cause miners to miscalculate PoW in the upcoming epoch. This happened on the ETC chain on 2020-11-06. This appears to be a problem for the ETH mainnet around the block. 11550000 /era 385This will occur in early January 2021.
This issue has now been resolved. 1.9.24. This issue only affects miners; non-mining nodes are not affected.
Geth shallow copy bug
affected: 1.9.7 – 1.9.16
determined: 1.9.17
Type: Consensus Vulnerability
2020-07-15 Researcher Youngseok Yang (Software Platform Lab) reported a consensus vulnerability in Geth.
Precompilation of Geth Copy data (0x00…04) Contract performed a shallow copy when called, while Parity performed a deep copy. An attacker could deploy a contract like this:
- write X To EVM memory area R,
- phone call 0x00..04 with R By argument,
- overwrite R to why,
- And finally Copy of return data opcode.
- When this contract is called, Parity pushes. X It’s in the EVM stack, whereas Geth pushes it. why.
result
This was exploited in a block on the Ethereum mainnet. 11234873transaction 0x57f7f9. node
More context can be found here: Geth post mortem and He steals after death. and here.
DoS .16 and .17
affected: v1.9.16,v1.9.17
determined: v1.9.18
Type: DoS vulnerability during block processing
A DoS vulnerability was discovered and fixed. v1.9.18. We have decided not to disclose any details at this time.
Recommendation
In the short term, we recommend that all users upgrade to: Guess version v1.9.24 (Must be built in Go 1.15.5) immediately. You can find the official release here here.
If you use Geth through Docker, you may encounter some issues. if you use Ethereum/Client MovementThere are two things you need to know:
- It may take some time for new images to appear in Docker Hub.
- Unless the Go base image is generated quickly enough, vulnerable Go version.
If you are building a Docker image yourself (via) Docker build. The second issue (in the repository root) can also cause the problem.
So be careful to make sure Go happens. 1.15.5 Used as the default image.
In the long term, we recommend that users and miners also look for alternative clients. It is our strong feeling that the resiliency of the Ethereum network should not depend on a single client implementation. there is besut, nethermind, Open Ethereum and turbo get And there are other things to choose from as well.
Please report security vulnerabilities via: https://bounty.ethereum.orgor via bounty@ethereum.org or through security@ethereum.org.