Ethereum

Geth Security Release | Ethereum Foundation Blog

summary

version Guess Built in Go <1.15.5 or <1.14.12 You are likely to be affected by serious DoS-related security vulnerabilities. The golang team has registered this flaw as ‘CVE-2020-28362’.

We recommend a rebuild to all users (ideally v1.9.24) with Go 1.15.5 or 1.14.12, prevent node collisions. or if you are running a binary distributed through one of the official channels; v1.9.24 We are made with Go 1.15.5.

Your Docker image is likely out of date due to missing base images, but you can check the release notes on how to build it temporarily using Go. 1.15.5. Please run geth version Check which version of Go the binary was built with.

background

In early October, Gothereum was registered on Google. OSS-Fuzz program. We’ve previously run the fuzzer on an ad-hoc basis and tested a few different platforms.

On October 24, 2020, we received notification that one of our fuzzers had discovered a conflict.

Investigation revealed that the root cause of the issue was a bug in the Go standard library, and the issue was reported upstream.

Special thanks Adam Korzinski This is the work of Ada Logics, who first integrated Go-ethereum into OSS-Fuzz!

effect

DoS issues can be used to crash all Geth nodes during block processing, resulting in major parts of the Ethereum network going offline.

Outside of Go-Ethereum, this issue is likely to be relevant to any fork of Geth (e.g. TurboGeth or ETC’s core-geth). For broader context, I’ll refer to upstream, as the Go team has conducted research on potentially affected parties.

timeline

  • 2020-10-24: Crash report from OSS-fuzz
  • 2020-10-25: Investigation revealed that this was caused by a flaw in Go. Details have been sent to: security@golang.org
  • 2020-10-26: Approved from upstream, investigation in progress
  • 2020-10-26 — 2020-11-06: Potential fixes discussed, upstream investigation for potentially affected parties.
  • 2020-11-06: Fix release tentatively scheduled for upstream on 2020-11-12
  • 2020-11-09: Upstream pre-announced a security release. https://groups.google.com/g/golang-announce/c/kMa3eup0qhU/m/O5RSMHO_CAAJ
  • 2020-11-11: Official Geth Twitter informed users about the upcoming release. accountOfficial Discord Channel and reddit.
  • 2020-11-12: A new Go version has been released. Guess Binaries have been released

Additional issues

mining glitch

Another security issue came to our attention through: this promotionContains fixes to the ethash algorithm.

A mining flaw may cause miners to miscalculate PoW in the upcoming epoch. This happened on the ETC chain on 2020-11-06. This appears to be a problem for the ETH mainnet around the block. 11550000 /era 385This will occur in early January 2021.

This issue has now been resolved. 1.9.24. This issue only affects miners; non-mining nodes are not affected.

Geth shallow copy bug

affected: 1.9.71.9.16

determined: 1.9.17

Type: Consensus Vulnerability

2020-07-15 Researcher Youngseok Yang (Software Platform Lab) reported a consensus vulnerability in Geth.

Precompilation of Geth Copy data (0x00…04) Contract performed a shallow copy when called, while Parity performed a deep copy. An attacker could deploy a contract like this:

  • write X To EVM memory area R,
  • phone call 0x00..04 with R By argument,
  • overwrite R to why,
  • And finally Copy of return data opcode.
  • When this contract is called, Parity pushes. X It’s in the EVM stack, whereas Geth pushes it. why.

result

This was exploited in a block on the Ethereum mainnet. 11234873transaction 0x57f7f9. node Up to 30 blocks were lost from the sidechain due to deletion from the network. Additionally, Infura has been discontinued, causing problems for many people and services that rely on Infura as a backend provider.

More context can be found here: Geth post mortem and He steals after death. and here.

DoS .16 and .17

affected: v1.9.16,v1.9.17

determined: v1.9.18

Type: DoS vulnerability during block processing

A DoS vulnerability was discovered and fixed. v1.9.18. We have decided not to disclose any details at this time.

Recommendation

In the short term, we recommend that all users upgrade to: Guess version v1.9.24 (Must be built in Go 1.15.5) immediately. You can find the official release here here.

If you use Geth through Docker, you may encounter some issues. if you use Ethereum/Client MovementThere are two things you need to know:

  1. It may take some time for new images to appear in Docker Hub.
  2. Unless the Go base image is generated quickly enough, vulnerable Go version.

If you are building a Docker image yourself (via) Docker build. The second issue (in the repository root) can also cause the problem.

So be careful to make sure Go happens. 1.15.5 Used as the default image.

In the long term, we recommend that users and miners also look for alternative clients. It is our strong feeling that the resiliency of the Ethereum network should not depend on a single client implementation. there is besut, nethermind, Open Ethereum and turbo get And there are others to choose from too.

Please report security vulnerabilities via: https://bounty.ethereum.orgor via bounty@ethereum.org or through security@ethereum.org.

Related Articles

Back to top button