CVE-2018–20587 Advisory and Full Disclosure (Bitcoin Core & Knots, on multiuser systems)

Workarounds

  • Forbid usage of your computer by other people. This includes remote access. Securing access to login to the computer is outside the scope of this advisory.
  • Forbid other users of your computer from binding to the RPC port on any network interface. (How to do this is non-trivial and outside the scope of this document.)
  • Turn off the RPC service, and never attempt to use it. To do this, ensure that your bitcoin.conf file includes the line “server=0”. You can confirm it has been disabled, if the bitcoin-cli program fails to execute any command, saying “Could not connect to the server”.
  • Before accessing the RPC service, check that your node’s debug.log does not contain any “Binding RPC on address … failed” lines.
  • Configure your node to only bind a single RPC port. To do this, make sure your bitcoin.conf contains exactly one line beginning with “rpcbind=” and at least one line beginning with “rpcallowip=”. Generally, you want to ensure these are “rpcbind=127.0.0.1” and “rpcallowip=127.0.0.1” (any other values may fail to eliminate the danger). With this configuration, the software will refuse to start unless it successfully binds the appropriate port.

Technical Details

Timeline

  • 2018–12–10 Bui Thanh, on behalf of a team of security researchers from Aalto University and University of Helsinki, reports the issue to a number of Bitcoin Core developers.
  • 2018–12–13 Upon further inquiry from Bui Thanh, Matt Corallo confirms receipt of original report, and reaffirms that users have always been advised not to expose the RPC service to untrusted networks/hosts.
  • 2018–12–14 Bui Thanh recommends that Bitcoin Core should not silently ignore failures to bind RPC listening ports.
  • 2018–12–15 Wladimir J. van der Laan submits pull request #14968 to fix the issue.
  • 2018–12–28 Due to the fix proposed in #14968 breaking the RPC service working on IPv4-only systems, and no straightforward way to resolve both issues, the fix is deferred.
  • 2018–12–30 A complex and experimental solution to fix both issues is released in Bitcoin Knots 0.17.1.knots20181229.
  • 2018–12–30 The vulnerability is officially assigned CVE-2018–20587.
  • 2019–01–15 Proposal to disclose vulnerability and mitigations shared with other involved parties.
  • 2019–01–21 David Harding submits pull request #15223 to document the issue, along with other RPC service risks in general.
  • 2019–01–21 PR #15223 documenting the issue is merged into Bitcoin Core.
  • 2019–02–07 At the weekly Bitcoin Core meeting, the issue is discussed and ultimately it is decided that a dedicated advisory will not be published to bitcoincore.org.
  • 2019–02–08 Advisory and full disclosure is posted to Luke Dashjr’s personal blog.

Bitcoin Core developer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

NEW hedging program: turning Bitcoin risk into an opportunity

42nd Weekly Burn Took Place

How Starverse can fit in the marketplace war for NFTs

Stocks, Cryptocurrency, or Forex which ones should you invest in? Authored by Ehvrin.

ELPIS INVESTMENTS AI-BASED SYSTEM FOR BOTH TRADITIONAL AND CRYPTO ASSETS CAN HELP OUT MINERS

Phase 2 Guide: How to Send Ether to æternity’s Contribution Wallet

Originally published on Instagram

What makes a successful Token project?—Why ICO was a shitshow

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Luke Dashjr

Luke Dashjr

Bitcoin Core developer

More from Medium

Mars Stealer malware on Web 3.0

An Easy way to get your Contract Audited for free by HashEx

Uniswap — The Story

Smart Contract Verification, Simplified