Vulnerability in UPnP library used by Bitcoin Core !!

[OmegaStarScream]

I was just on Bitcoin.org to link someone to a wallet and I've seen the warning on the top of the page so I thought I should share it with you guys , I'am not a user of Bitcoin core anymore but here :

https://bitcoin.org/en/alert/2015-10-12-upnp-vulnerability

[GermanGiant]

Does it affect any other wallet or only core ?

[unamis76]

Thanks for the heads up... Why will there be a new 0.10 release?

[krb91]

Does it affect any other wallet or only core ?

I'm not sure, there is a reddit thread about it, and someone might use it to eventually explain if any other wallets besides core are vulnerable. At he moment the thread only gives the same advice as bitcoin.org, which I quoted. It's only for core, so the vulnerability probably doesn't affect other wallets. I don't understand UPNP well enough to say for certain.

https://www.reddit.com/r/Bitcoin/comments/3ogg0t/bitcoinorg_vulnerability_in_upnp_library_used_by/

Either
turn off the checkbox in the GUI under Options → Network → Map port using UPNP
add the line upnp=0 to your bitcoin.conf file
add -upnp=0 to the command line options

[Amph]

what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing

also i don't use a config at all for core...

[achow101]

what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing

also i don't use a config at all for core...

For the daemon if you don't use core.

[krb91]

what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing

also i don't use a config at all for core...

I think you only have to select one of the options to protect your wallet from the vulnerability. Each option should protect your wallet on its own. Bitcoin.org recommends updating your wallet to the latest version. It says 0.10.3 and 0.11.1, and the upcoming 0.12.0 are safe to use. You only need to upgrade if you downloaded a compiled wallet, if you built your wallet yourself it should have UPnP disabled by default.

[saturn643]

The vulnerability was discovered in miniupnp almost a month ago. Why didn't any of the devs let us know earlier? The article they reference looks like it has been public for a month so that would have been plenty of time for someone to try an attack against Bitcoin Core.

Has anyone tried any attacks against Bitcoin Core to see how badly these vulnerabilities affect Bitcoin Core?

[Amph]

what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing

also i don't use a config at all for core...

I think you only have to select one of the options to protect your wallet from the vulnerability. Each option should protect your wallet on its own. Bitcoin.org recommends updating your wallet to the latest version. It says 0.10.3 and 0.11.1, and the upcoming 0.12.0 are safe to use. You only need to upgrade if you downloaded a compiled wallet, if you built your wallet yourself it should have UPnP disabled by default.

there is no 0.11.1 apparently, i found that they are at rc2 for this version, on a shady website, or at least it seems so...

[achow101]

what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing

also i don't use a config at all for core...

I think you only have to select one of the options to protect your wallet from the vulnerability. Each option should protect your wallet on its own. Bitcoin.org recommends updating your wallet to the latest version. It says 0.10.3 and 0.11.1, and the upcoming 0.12.0 are safe to use. You only need to upgrade if you downloaded a compiled wallet, if you built your wallet yourself it should have UPnP disabled by default.

there is no 0.11.1 apparently, i found that they are at rc2 for this version, on a shady website, or at least it seems so...

Neither of them have been released yet. They are still in the release candidate stage.

0.11.1rc2 is officially available at https://bitcoin.org/bin/bitcoin-core-0.11.1/test/
0.10.3rc2 is officially available at https://bitcoin.org/bin/bitcoin-core-0.10.3/test/

[coinpr0n]

The vulnerability was discovered in miniupnp almost a month ago. Why didn't any of the devs let us know earlier? The article they reference looks like it has been public for a month so that would have been plenty of time for someone to try an attack against Bitcoin Core.

Has anyone tried any attacks against Bitcoin Core to see how badly these vulnerabilities affect Bitcoin Core?

Please remember that these are volunteer developers. They may have only just realized the problem was out there or they were waiting to have a patch ready before bringing it to the attention of the public.

[shorena]

The vulnerability was discovered in miniupnp almost a month ago. Why didn't any of the devs let us know earlier? The article they reference looks like it has been public for a month so that would have been plenty of time for someone to try an attack against Bitcoin Core.

Has anyone tried any attacks against Bitcoin Core to see how badly these vulnerabilities affect Bitcoin Core?

Please remember that these are volunteer developers. They may have only just realized the problem was out there or they were waiting to have a patch ready before bringing it to the attention of the public.

I have no source, but I read about the issue on twitter way before this was on bitcoin.org or posted here (twice now?).

Found the source, 3 days old: https://twitter.com/gavinandresen/status/652462681442648065

[Melds]

What are the potential repercussions of this flaw? I'm slightly worried..

[OmegaStarScream]

Does it affect any other wallet or only core ?

I suppose it affects the others because the other SPV wallets use same versions of Bitcoin Core as we do , yes ? correct me if I'am wrong !

[shorena]

Does it affect any other wallet or only core ?

I suppose it affects the others because the other SPV wallets use same versions of Bitcoin Core as we do , yes ? correct me if I'am wrong !

SPV wallets are not affected, they just request data from full nodes.

[christycalhoun]

Will this affect 3rd party clients as well or is this just a problem with the official bitcoin-qt client?

[OmegaStarScream]

Will this affect 3rd party clients as well or is this just a problem with the official bitcoin-qt client?

You must be kidding xD look the above reply (shorena replied to me)

[NeuroticFish]

A specially crafted XML response can lead to a buffer overflow on the stack resulting in remote code execution. An attacker can set up a server on the local network to trigger this vulnerability.

So the local network has to be compromised first.
And if the local network is compromised, you can be in big trouble even without this vulnerability.

I hope that I understood it right.

[okae]

so if im not wrong, for users who are using the core, we just need to do it:

• turn off the checkbox in the GUI under Options → Network → Map port using UPNP (see above)

and dont forget to update our core client when they release a new version with the fix included

[Lauda]

This is not a huge deal at the moment since the issue was quickly identified which is good (and because the workaround is easy). I also think that we should change the:

News: Latest stable version of Bitcoin Core: 0.11.0 [Torrent]

to include some sort of heads up related to this issue. Let's hope that the next version gets released very quickly.