Security Advisory [Implementation bugs in Go and Python clients can cause DoS – Fixed – Please update clients]

Ethereum Security Advisory: Implementing Fixes for Critical DoS Vulnerability

In a recent security advisory, the Ethereum team has identified and addressed a critical vulnerability in the geth client, which affects the stability of the network. The issue, caused by a state transition and consensus problem, can lead to a denial-of-service (DoS) attack if a malicious actor exploits the vulnerability. In this article, we'll delve into the details of the vulnerability, its impact, and the remedial actions taken by the Ethereum team.

The Vulnerability: A Complex Issue

The vulnerability, which affects the geth client, occurs when processing a valid block containing a specific combination of transactions. These transactions include one or more SUICIDE calls, which are valid but can cause the client to panic and crash. The issue is not unique to geth, as the pyethereum client, which is used by pyethapp, is also affected.

The Impact: Network Instability and DoS

If a malicious actor were to exploit this vulnerability, it could lead to a DoS attack on the network. A DoS attack occurs when an attacker sends a large amount of traffic to a network or system, making it unavailable to users. In this case, the vulnerability could cause the network to become unstable, leading to a loss of trust and confidence in the Ethereum ecosystem.

The Affected Configurations

The issue has been reported for the geth client, while investigating the issue, related issues were discovered and corrected in pyethereum, hence pyethapp is also affected. C++ clients, such as eth, are unaffected by this vulnerability.

The Likelihood and Severity

The likelihood of this vulnerability being exploited is low, but the severity of the impact is high. The complexity of the issue is also high, making it a challenging problem to solve.

The Remedial Action Taken by Ethereum

The Ethereum team has taken swift action to address the vulnerability. The fixes have been provided for both the geth and pyethereum clients. Users are advised to upgrade their clients to the latest version to ensure the stability of the network.

Upgrading the geth Client

To upgrade the geth client, users can follow these steps:

• If using the stable version 1.0, users can upgrade to the latest version 1.1.1 using a package manager such as apt-get or homebrew.
• If using the PPA, users can run sudo apt-get update followed by sudo apt-get upgrade.
• If using brew, users can run brew update followed by brew reinstall ethereum.
• If using a Windows binary, users can download the updated binary.
• If building from source, users can run git pull followed by make geth (please use the Master branch commit 8f09242d7f527972acb1a8b2a61c9f55000e955d).

Upgrading the pyethereum Client

To upgrade the pyethereum client, users of pyethapp should reinstall using the following command:

pip install pyethapp --force-reinstall

The Correct Version for this Update

The correct version for this update on Ubuntu and OSX is Geth/v1.1.1-8f09242d.

Conclusion

The Ethereum team has taken swift action to address a critical vulnerability in the geth client. The issue, which affects the stability of the network, has been fixed, and users are advised to upgrade their clients to the latest version. The remedial action taken by the Ethereum team demonstrates their commitment to ensuring the security and stability of the network.

Forward-Looking Thoughts

The Ethereum team's swift action to address this vulnerability demonstrates their commitment to ensuring the security and stability of the network. As the Ethereum ecosystem continues to grow and evolve, it is essential that the team remains vigilant and proactive in addressing potential vulnerabilities. By doing so, they can ensure the continued trust and confidence of users in the Ethereum ecosystem.

Source: https://blog.ethereum.org/en/2015/09/02/security-advisory-implementations-bugs-in-go-and-python-clients-can-cause-dos