|
| 1 | +--- |
| 2 | +title: Disclosure of CPU/memory DoS due to many malicious peers (≤ version 0.20.0) |
| 3 | +name: blog-disclose-unbounded-banlist |
| 4 | +id: en-blog-disclose-unbounded-banlist |
| 5 | +lang: en |
| 6 | +type: advisory |
| 7 | +layout: post |
| 8 | + |
| 9 | +## If this is a new post, reset this counter to 1. |
| 10 | +version: 1 |
| 11 | + |
| 12 | +## Only true if release announcement or security annoucement. English posts only |
| 13 | +announcement: 1 |
| 14 | + |
| 15 | +excerpt: > |
| 16 | + Bitcoin Core maintained an unlimited list of banned IP addresses and performed a quadratic operation on it. This could lead to an OOM crash and a CPU Dos. |
| 17 | +--- |
| 18 | + |
| 19 | +Bitcoin Core maintained an unlimited list of banned IP addresses and performed a quadratic operation |
| 20 | +on it. This could lead to an OOM crash and a CPU Dos. |
| 21 | + |
| 22 | +This issue is considered **High** severity. |
| 23 | + |
| 24 | +## Details |
| 25 | + |
| 26 | +Bitcoin Core maintained a list of banned IP addresses. This list was not bounded and could be |
| 27 | +manipulated by an adversary. Adding new entries to this list was particularly cheap for an attacker |
| 28 | +when considering IPV6. In addition, when receiving a `GETADDR` message, Bitcoin Core would scan the |
| 29 | +entire ban list for every single address to be returned (up to 2500). |
| 30 | + |
| 31 | +## Attribution |
| 32 | + |
| 33 | +Calin Culianu first responsibly disclosed it. Calin later publicly disclosed the bug in [a PR |
| 34 | +comment](https://github.com/bitcoin/bitcoin/pull/15617#issuecomment-640898523). |
| 35 | + |
| 36 | +On the same day Jason Cox from Bitcoin ABC emailed the Bitcoin Core project to share this same |
| 37 | +report they also received. |
| 38 | + |
| 39 | +## Timeline |
| 40 | + |
| 41 | +- 2020-06-08 Calin Culianu privately reports the bug to the Bitcoin Core project |
| 42 | +- 2020-06-08 Jason Cox privately shares the (same) report sent to Bitcoin ABC with Bitcoin Core |
| 43 | +- 2020-06-08 Calin Culianu publicly discloses the vulnerability on the original PR which introduced the quadratic behaviour |
| 44 | +- 2020-06-09 Pieter Wuille opens PR [#19219](https://github.com/bitcoin/bitcoin/pull/19219) which fixes both the unbounded memory usage and the quadratic behaviour |
| 45 | +- 2020-06-16 Luke Dashjr gets assigned CVE-2020-14198 for this vulnerability after his request |
| 46 | +- 2020-07-07 Pieter's PR is merged |
| 47 | +- 2020-08-01 Bitcoin Core 0.20.1 is released with the fix |
| 48 | +- 2021-01-14 Bitcoin Core 0.21.0 is released with the fix |
| 49 | +- 2022-04-25 The last vulnerable Bitcoin Core version (0.20.0) goes EOL |
| 50 | +- 2024-07-03 (Official) Public Disclosure |
| 51 | + |
| 52 | +{% include references.md %} |
0 commit comments