Bitcoin Forum

I was just on Bitcoin.org to link someone to a wallet and I've seen the warning on the top of the page so I thought I should share it with you guys , I'am not a user of Bitcoin core anymore but here :

https://bitcoin.org/en/alert/2015-10-12-upnp-vulnerability

Does it affect any other wallet or only core ?

Thanks for the heads up... Why will there be a new 0.10 release?

I'm not sure, there is a reddit thread about it, and someone might use it to eventually explain if any other wallets besides core are vulnerable. At he moment the thread only gives the same advice as bitcoin.org, which I quoted. It's only for core, so the vulnerability probably doesn't affect other wallets. I don't understand UPNP well enough to say for certain.

https://www.reddit.com/r/Bitcoin/comments/3ogg0t/bitcoinorg_vulnerability_in_upnp_library_used_by/

what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing

also i don't use a config at all for core...

For the daemon if you don't use core.

I think you only have to select one of the options to protect your wallet from the vulnerability. Each option should protect your wallet on its own. Bitcoin.org recommends updating your wallet to the latest version. It says 0.10.3 and 0.11.1, and the upcoming 0.12.0 are safe to use. You only need to upgrade if you downloaded a compiled wallet, if you built your wallet yourself it should have UPnP disabled by default.

The vulnerability was discovered in miniupnp almost a month ago. Why didn't any of the devs let us know earlier? The article they reference looks like it has been public for a month so that would have been plenty of time for someone to try an attack against Bitcoin Core.

Has anyone tried any attacks against Bitcoin Core to see how badly these vulnerabilities affect Bitcoin Core?

there is no 0.11.1 apparently, i found that they are at rc2 for this version, on a shady website, or at least it seems so...

Neither of them have been released yet. They are still in the release candidate stage.

0.11.1rc2 is officially available at https://bitcoin.org/bin/bitcoin-core-0.11.1/test/
0.10.3rc2 is officially available at https://bitcoin.org/bin/bitcoin-core-0.10.3/test/

Please remember that these are volunteer developers. They may have only just realized the problem was out there or they were waiting to have a patch ready before bringing it to the attention of the public.

I have no source, but I read about the issue on twitter way before this was on bitcoin.org or posted here (twice now?).

Found the source, 3 days old: https://twitter.com/gavinandresen/status/652462681442648065

What are the potential repercussions of this flaw? I'm slightly worried..

I suppose it affects the others because the other SPV wallets use same versions of Bitcoin Core as we do , yes ? correct me if I'am wrong !

SPV wallets are not affected, they just request data from full nodes.

Will this affect 3rd party clients as well or is this just a problem with the official bitcoin-qt client?

You must be kidding xD look the above reply (shorena replied to me)

So the local network has to be compromised first.
And if the local network is compromised, you can be in big trouble even without this vulnerability.

I hope that I understood it right.

so if im not wrong, for users who are using the core, we just need to do it:

• turn off the checkbox in the GUI under Options → Network → Map port using UPNP (see above)

and dont forget to update our core client when they release a new version with the fix included :)

This is not a huge deal at the moment since the issue was quickly identified which is good (and because the workaround is easy). I also think that we should change the:
to include some sort of heads up related to this issue. Let's hope that the next version gets released very quickly.

That is correct. If the node if on a large network like a company network, this means that someone could attack the node from during the network.

still it does not mean anything for casual users that are not even running a full node and their client is off most of the time

it's always the same story if your desktop is safe and fresh new, you are in a safebox, the only possibility would be that virus(forgot the name) that spread through security holes in the router

also what kind of attack already happened for this vulnerability? i assume none right?

"It has been verified that the vulnerability can be used to crash the application at startup by running a malicious UPnP server on the local network."  ???

A upnp server on the network can send to the node malicious data to crash Bitcoin Core.

I would like to test this, anyone have any idea how?