The Bitcoin team fixed today a severe vulnerability in the software that underpins the entire Bitcoin network.
The vulnerability is tracked as CVE-2018-17144 and is categorized as a simple “denial of service” (DoS) issue. While this classification may play down its importance, as most DoS bugs cause simple crashes, this vulnerability has a more severe impact than most people believe.
This is because CVE-2018-17144 affects Bitcoin Core, the software that Bitcoin nodes (miners) run on their servers, and the software that keeps the entire Bitcoin network up and running.
“[It] can take down the network,” Jason Glassberg, co-founder of Casaba Security, told ZDNet today. “That would affect transactions in the sense that they cannot be completed, but does not appear to open up a way to steal or manipulate wallets.”
Glassberg’s assessment was confirmed by other cryptocurrency experts as well, who also pointed out this bug can be exploited remotely.
But while users’ funds are not as risk, an attacker can use this vulnerability to intentionally crash Bitcoin nodes.
If an attacker controls or adds enough malicious nodes to the Bitcoin network and then causes a crash, he can execute a so-called 51% attack on the Bitcoin network and manipulate transactions for his financial gain.
According to this website, under normal circumstances, it currently costs about $450,000 to mount a 51% attack for an hour under normal conditions, but by exploiting this bug, an attacker can reduce this cost to a smaller and more doable value.
According to the Bitcoin team, exploitation is also rather simple, as it only relies on sending malformed transactions on the Bitcoin network.
“Older versions of Bitcoin Core will crash if they try to process a block containing a transaction that attempts to spend the same input twice,” the Bitcoin Core team explained in a security advisory released today.
All Bitcoin Core versions between 0.14.0 and 0.16.2 are considered vulnerable. This covers all Bitcoin Core releases since March 2017. Version 0.16.3 was released today to address this issue. Bitcoin Knots, a fork, and alternative of the Bitcoin Core software, was also confirmed to be affected, and also received a patch.
The CVE-2018-17144 patch was also ported to Litecoin, a cryptocurrency that started out as a fork of the original Bitcoin project code.
But Emin Gün Sirer, a professor at Cornell University and a renowned cryptographer and cryptocurrency expert, says this bug was only fixed in Litecoin after the Bitcoin Core 0.16.3 release, meaning the Litecoin project was never informed of the issue in advance.
“Copycat currencies are at risk,” Sirer said today, referring to all the cryptocurrencies that have been forked from the Bitcoin code in the past decade.
“By definition, there’s always a group upstream that knows their vulnerabilities,” he warned, alluding that attackers keeping an eye on the main Bitcoin branch may attempt to exploit this flaw on smaller cryptocurrencies where the patch has not been ported yet, and where 51 percent attacks are even cheaper and easier to carry out when compared to the costs of mounting one against Bitcoin’s massive network.
Readers that are only owners of Bitcoin and other cryptocurrency funds, this bug is not a direct threat, but if readers are also running their own mining rigs, then they should look into the vulnerability and see if it also affects their mining rig’s software.