|
| 1 | +--- |
| 2 | +title: Disclosure of the impact of an infinite loop bug in the miniupnp dependency |
| 3 | +name: blog-disclose-miniupnp-bug-impact |
| 4 | +id: en-blog-disclose-miniupnp-bug-impact |
| 5 | +lang: en |
| 6 | +type: advisory |
| 7 | +layout: post |
| 8 | + |
| 9 | +## If this is a new post, reset this counter to 1. |
| 10 | +version: 1 |
| 11 | + |
| 12 | +## Only true if release announcement or security annoucement. English posts only |
| 13 | +announcement: 1 |
| 14 | + |
| 15 | +excerpt: > |
| 16 | + Nodes could be crashed by a malicious UPnP device on the local network. A fix was released on September 14th, 2021 in Bitcoin Core v22.0. |
| 17 | +--- |
| 18 | + |
| 19 | +Disclosure of the impact of an infinite loop bug in the miniupnp dependency on |
| 20 | +Bitcoin Core, a fix for which was released on September 14th, 2021 in Bitcoin |
| 21 | +Core version v22.0. |
| 22 | + |
| 23 | +This issue is considered **Low** severity. |
| 24 | + |
| 25 | +## Details |
| 26 | + |
| 27 | +Miniupnp, the UPnP library used by Bitcoin Core, would be waiting upon |
| 28 | +discovery for as long as it receives random data from a device on the network. |
| 29 | +In addition it would allocate memory for every new device information. An |
| 30 | +attacker on the local network could pretend to be a UPnP device and keep |
| 31 | +sending bloated M-SEARCH replies to the Bitcoin Core node until it runs out of |
| 32 | +memory. |
| 33 | + |
| 34 | +Only users running with the <code>-miniupnp</code> option would have been |
| 35 | +affected by this bug as Miniupnp is otherwise turned off by default. |
| 36 | + |
| 37 | +## Attribution |
| 38 | + |
| 39 | +Credit goes to Ronald Huveneers for reporting the infinite loop bug to the |
| 40 | +miniupnp project, and to Michael Ford (Fanquake) for the report to the Bitcoin |
| 41 | +Core project along with a PoC exploit to trigger an OOM and a pull request to |
| 42 | +bump the dependency (containing the fix). |
| 43 | + |
| 44 | +## Timeline |
| 45 | + |
| 46 | +* 17-09-2020 - Initial report of infinite loop bug to miniupnp by Ronald Huveneers |
| 47 | +* 13-10-2020 - Initial report sent to security@bitcoincore.org by Michael Ford |
| 48 | +* 23-03-2021 - Fix is merged (https://github.com/bitcoin/bitcoin/pull/20421) |
| 49 | +* 13-09-2021 - v22.0 is released |
| 50 | +* 31-07-2024 - Public disclosure |
| 51 | + |
| 52 | +{% include references.md %} |
0 commit comments