Bitcoin Forum
December 13, 2024, 08:08:26 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Vulnerability in Miniupnpc library used by bitcoin core  (Read 402 times)
achow101 (OP)
Staff
Legendary
*
Offline Offline

Activity: 3570
Merit: 6927


Just writing some code


View Profile WWW
October 12, 2015, 03:52:05 PM
 #1

Apparently the miniupnpc library that bitcoin core uses has a buffer overflow library which makes it possible for someone in the local network to crash bitcoin nodes on that network. It may also be possible to carry out other attacks, but that has not yet been confirmed.

More info here: https://bitcoin.org/en/alert/2015-10-12-upnp-vulnerability

roslinpl
Legendary
*
Offline Offline

Activity: 2212
Merit: 1199


View Profile WWW
October 13, 2015, 04:38:05 PM
Last edit: October 13, 2015, 05:05:00 PM by roslinpl
 #2

Hello,

I think this thread should be moved to Bitcoin Forum > Bitcoin > Technical Support

Nothing is perfect as UPnP is not. As it was proved in 2013 and as it's visible now.
And as it was in 2013 and also it is now - the quick solution for that is just to switch it off.

Miniupnpc patch was released on 8-10-2015.

For now just add
Code:
upnp=0
into your bitcoin.conf file.

Bitcoin Core 0.11.1 will be released with fixed miniupnpc.
You can also download new miniupnpc and compile Core with fixed miniupnpc.


But also remember that the problem is not a big one as this is only dangerous in a situation where you are not using your home router and a secure firewalls as we "usually" are (for sure we all should/need to).

This vulnerability in UPnP is only dangerous if you are using a Bitcoin Core while being connected to unknown router(and network) (for example while using free WiFis around the city).


In a same time, if you are connected to any unknown router/network you are in danger.  There are many methods to scam you, get your data, id, etc. if you will connect to a prepared 'router'.
So. No matter is UPnP safe or not - you should never in any case and situation trust unknown networks.


Best regards.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!