Resume
versions of geth built with go <1.15.5 either <1.14.12 it is very likely that they are affected by a critical security vulnerability related to DoS. The golang team has logged this flaw as ‘CVE-2020-28362’.
We recommend all users to rebuild (ideally v1.9.24) with Go 1.15.5 either 1.14.12, to avoid node locks. Alternatively, if you are running binaries distributed through one of our official channels, we are going to release v1.9.24 we build ourselves with Go 1.15.5.
Most likely the Docker images are out of date due to a missing base image, but you can check the release notes on how to create one temporarily with Go 1.15.5. please run geth version to check the version of Go your binary was built with.
Bottom
In early October, go-ethereum signed up with Google OSS-Fuzz Program. We had previously run fuzzers on an ad-hoc basis and tried a few different platforms.
On 2020-10-24, we were notified that one of our fuzzers had encountered a blockage.
Upon investigation, it turned out that the root cause of the issue was a bug in the Go standard libraries, and the issue was reported upstream.
Special thanks to adam korczynski from Ada Logics for the initial integration of go-ethereum into OSS-Fuzz!
Impact
The DoS issue can be used to crash all Geth nodes during block processing, the effects of which would be that a significant part of the Ethereum network would go offline.
Outside of Go-Ethereum, the issue is most likely relevant to all Geth forks (such as TurboGeth or ETC’s core-geth). For an even broader context, we would refer to upstream, as the Go team conducted an investigation of potentially affected parties.
Chronology
- 2020-10-24: OSS-fuzz crash report
- 2020-10-25: Investigation found that it was due to a bug in Go. Details sent to [email protected]
- 2020-10-26: Upstream recognition, ongoing investigation
- 2020-10-26 — 2020-11-06: Potential fixes discussed, prior investigation of potentially affected parties
- 2020-11-06: Tentatively scheduled upstream fix release for 2020-11-12
- 2020-11-09: Upstream previously announced the security release: https://groups.google.com/g/golang-announce/c/kMa3eup0qhU/m/O5RSMHO_CAAJ
- 2020-11-11: Notification to users about upcoming release via Geth official twitter billour official Discord channel and Reddit.
- 2020-11-12: The new version of Go was released and geth binaries were released
additional problems
mining fault
Another security issue came to our attention via this PRcontaining a solution to the ethash algorithm.
The mining glitch could cause miners to miscalculate PoW at a later date. This happened on the ETC chain on 2020-11-06. It looks like this would be a problem for the ETH mainnet around the block. 11550000 / epoch 385which will take place in early January 2021.
This problem is also fixed from 1.9.24. This issue is relevant for miners only, non-mining nodes are not affected.
Geth shallow copy error
Affected: 1.9.7 – 1.9.16
Fixed: 1.9.17
Type: consensus vulnerability
On July 15, 2020, John Youngseok Yang (Software Platform Lab) reported a consensus vulnerability in Geth.
Geth is precompiled data copy (0x00…04) contract made a shallow copy of the call, while Parity made a deep copy. An attacker could implement a contract that
- writes X to an EVM memory region R.,
- calls 0x00..04 with R. as argument,
- overwrites R. a Y,
- and finally invokes the COPY OF RETURN DATA opcode.
- When this contract is invoked, Parity would push X on the EVM stack, while Geth would push Y.
Consequences
This was exploited on the Ethereum Mainnet on the block 11234873transaction 0x57f7f9. nodes
More context can be found in the Geth postmortem Y He steals after death. Y here.
DoS in .sixteen Y .17
Affected: v1.9.16,v1.9.17
Fixed: v1.9.18
Type: DoS vulnerability during block processing
A DoS vulnerability was found and fixed in v1.9.18. We have chosen not to publish the details at this time.
recommendations
In the short term, we recommend that all users upgrade to geth version v1.9.24 (which must be built with Go 1.15.5) immediately. Official communications can be found here.
If you are using Geth via Docker, there could be some issues. if you are using ethereum/client-goThere are two things to keep in mind:
- There may be a delay before the new image appears on Docker Hub.
- Unless Go’s base images have been built fast enough, there’s a chance they’ll be built with a vulnerable Go version.
If you are creating docker images yourself, (via docker construction. from the root of the repository), then the second issue might cause you trouble as well.
So be careful to make sure that Go 1.15.5 is used as the base image.
In the long term, we recommend that users and miners also look for alternative clients. We strongly believe that the resiliency of the Ethereum network should not depend on a single client implementation. There are Better, nether mind, OpenEthereum Y TurboGeth and others to choose from as well.
Report security vulnerabilities through https://bounty.ethereum.orgor via [email protected] or via [email protected].
