Vulnerability in Miniupnpc library used by bitcoin core

[achow101]

Apparently the miniupnpc library that bitcoin core uses has a buffer overflow library which makes it possible for someone in the local network to crash bitcoin nodes on that network. It may also be possible to carry out other attacks, but that has not yet been confirmed.

More info here: https://bitcoin.org/en/alert/2015-10-12-upnp-vulnerability

[1715411304]

1715411304

[roslinpl]

Hello,

I think this thread should be moved to Bitcoin Forum > Bitcoin > Technical Support

Nothing is perfect as UPnP is not. As it was proved in 2013 and as it's visible now.
And as it was in 2013 and also it is now - the quick solution for that is just to switch it off.

Miniupnpc patch was released on 8-10-2015.

For now just add

Code:

upnp=0

into your bitcoin.conf file.

Bitcoin Core 0.11.1 will be released with fixed miniupnpc.
You can also download new miniupnpc and compile Core with fixed miniupnpc.


But also remember that the problem is not a big one as this is only dangerous in a situation where you are not using your home router and a secure firewalls as we "usually" are (for sure we all should/need to).

This vulnerability in UPnP is only dangerous if you are using a Bitcoin Core while being connected to unknown router(and network) (for example while using free WiFis around the city).


In a same time, if you are connected to any unknown router/network you are in danger.  There are many methods to scam you, get your data, id, etc. if you will connect to a prepared 'router'.
So. No matter is UPnP safe or not - you should never in any case and situation trust unknown networks.


Best regards.