Summary
Versions of Geth built with Go versions prior to 1.15.5 and 1.14.12 are vulnerable to a DoS security flaw. The golang team reported this bug as “CVE-20228362”.
We advise all users to rebuild Geth (ideally v1.9.24) with Go 1.15.5 or 1.14.12 to avoid node lockouts. Alternatively, if you distribute binaries via one of our channels, we will release them as v1.9.24 built with Go 1.15.5.
Most Docker images are out-of-date due to missing base images, but you can still consult the release notes to learn how to temporarily create one. Please run geth version to check the latest version Go is the material that made your binary.
Background
In early October, go-ethereum was enrolled in the OSS-Fuzz Google program. We had used fuzzers before and had tried many different platforms.
On 2020-10-24, our technicians informed us that one of the fuzzers was blocked. Further investigation revealed that this bug was the source of the problem. Go Standard Libraries were notified upstream about the issue.
We would like to thank Adam Korczynski from Ada Logics for the initial integration into OSS-Fuzz!
Impact
The DoS issue is a good way to crash all Geth block processing, which can have significant consequences on the block processing. The Ethereum network would be offline.
Furthermore, Go-Ethereum is most affected by this issue, as well as Geth Forks (such as TurboGeth) and ETC’s core-geth. For a more general reference, we can refer to upstream in the following: Go team conducted an investigation to determine if anyone was potentially affected.
Chronology
- 2020-10-24: OSS-fuzz crash report
- 2020-10-25: Investigation revealed that the bug was responsible for the problem. Details sent to security@golang.org
- 2020-10-26: Continuing investigation by upstream
- 2020-10-26 — 2020-11-06: Pre-investigation by potentially affected parties
- 2020-11-06: Tentatively scheduled upstream fix release for 2020-11-12
- 2020-11-09: Upstream security release announced https://groups.google.com/g/golang-announce/c/kMa3eup0qhU/m/O5RSMHO_CAAJ
- 2020-11-11: User notification via Geth Official Twitter Bill, Our Official Discord, Choose a channel Reddit.
- 2020-11-12: New version of Geth binaries made available
Other Issues
Mining Flaw
We were also alerted via email of a security problem This PR contains a solution for the ethash algorithm.
Mining miners could make mistakes in their PoW calculations down the line due to bugs. This was observed on
Affects: 1.9.7 – 1.9.16
The Ethereum Foundation has released a security update for Geth, the official Ethereum client. Affecting versions 1.9.7 – 1.9.16, the update addresses a consensus vulnerability in the precompiled data copy (0x00…04) contract.
An exploit of this vulnerability was used on the Ethereum mainnet on block 11234873 and transaction 0x57f7f9. This caused nodes running v1.9.18 to be removed from the network, leading to a loss of ~30 blocks on a sidechain. It also caused a temporary outage of the Infura service, disrupting many services that rely on it.
In addition, a DoS vulnerability was found and fixed in v1.9.18. Details of this vulnerability have not yet been released.
The Ethereum Foundation recommends that all users upgrade to Geth v1.9.24 (built with Go 1.15.5) as soon as possible. Official communications can be found here. If you are using Geth via Docker, there may be some issues. Please read the post for more details.
Users and miners are also encouraged to consider alternative clients, such as Kiss, Nethermind, OpenEthereum, TurboGeth and others.
Security vulnerabilities can be reported through https://bounty.ethereum.org, bounty@ethereum.org or security@ethereum.org.