Bitcoin Forum
December 03, 2016, 08:01:06 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: [ANN] Critical vulnerability (denial-of-service attack)  (Read 23352 times)
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
May 14, 2012, 04:56:30 PM
 #1

We have been quietly notifying the largest exchanges, merchant service providers and mining pools about this issue, and waited until they upgraded or patched their code to go public with this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2012-2459: Critical Vulnerability

A denial-of-service vulnerability that affects all versions of
bitcoind and Bitcoin-Qt has been reported and fixed. An attacker
could isolate a victim's node and cause the creation of blockchain
forks.

Because this bug could be exploited to severely disrupt the Bitcoin
network we consider this a critical vulnerability, and encourage
everybody to upgrade to the latest version: 0.6.2.

Backports for older releases (0.5.5 and 0.4.6) are also available if
you cannot upgrade to version 0.6.2.

Full technical details are being withheld to give people the
opportunity to upgrade.

Thanks to Forrest Voight for discovering and reporting the vulnerability.


Questions that might be frequently asked:

How would I know if I am the victim of this attack?

Your bitcoin process would stop processing blocks and would have a
different block count from the rest of the network (you can see the
current block count at websites like blockexplorer.com or
blockchain.info).  Eventually it would display the message:

"WARNING: Displayed transactions may not be correct!  You may need to
upgrade, or other nodes may need to upgrade."

(note that this message is displayed whenever your bitcoin process
detects that the rest of the network seems to have a different
block count, which can happen for several reasons unrelated to
this vulnerability).


Could this bug be used to steal my wallet?

No.


Could this bug be used to install malware on my system?

No.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQIcBAEBCgAGBQJPsTpaAAoJECnZ7msfxzDB76cQALBqcEb40dQOtopbsk7vHDuL
FL4xd56B1/s3idyHGeCuwJX5bgxGD9b3svayXhDiLo9O+5E3sxsLY1HehTXnU8KV
BGpIQ7I+XLDcmarGYrDLMNMDLFOp/1hTipi08X3cr6oHNdYOxGbdtqCQR8xxtdfh
Mmo07ReYYWamlF+QbwoXIJQOEka2UVeWWgmk1C+WW1phI3P3Of5EvWvkmOurZsY1
zew7G3sk0Lu8glxSt8qq1SKlDXOaSqTBPxs+2FtgkUplNrAIyufu0vCTsnC44oie
ndJD6XZAaG6cYr3adGQKmUjRR+oyZarMtBdDHBvYHkrQI4uQclL1aS7DhkLtH8kp
fBRHdqmbBJpmpWOcs+OZeaQCzrArKihuVVZqP4HYbHgGHLV3Ls1bebyWm5eLZH6Z
C5l3B4Hz/lp50gJpVsIZI291l3KWfoBW2qGyQv51U4uByLU8tPzgr5bdyo6YCo4N
XQZHveNInMDI8jSimGyHg7WNm0YjkSAM8PEIJhQuL+RaHKgN/ghLPR+1K1YZnMjq
BPdJZVDpP2bgClyj6P+UkhAplEoenxZUsjyRmcs9EWjHZo3UUI9MLZW96vkR0Wlv
UBgq0/jSNQ6s3U3YwKM8CDFJ4OB7Mu1Ln6sn+Tu5sl3xtPyapARA5K67FYSpvqVX
GNIME8aiNjICQmtIFiuX
=9L8G
-----END PGP SIGNATURE-----

How often do you get the chance to work on a potentially world-changing project?
1480795266
Hero Member
*
Offline Offline

Posts: 1480795266

View Profile Personal Message (Offline)

Ignore
1480795266
Reply with quote  #2

1480795266
Report to moderator
1480795266
Hero Member
*
Offline Offline

Posts: 1480795266

View Profile Personal Message (Offline)

Ignore
1480795266
Reply with quote  #2

1480795266
Report to moderator
Every time a block is mined, a certain amount of BTC (called the subsidy) is created out of thin air and given to the miner. The subsidy halves every four years and will reach 0 in about 130 years.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480795266
Hero Member
*
Offline Offline

Posts: 1480795266

View Profile Personal Message (Offline)

Ignore
1480795266
Reply with quote  #2

1480795266
Report to moderator
1480795266
Hero Member
*
Offline Offline

Posts: 1480795266

View Profile Personal Message (Offline)

Ignore
1480795266
Reply with quote  #2

1480795266
Report to moderator
1480795266
Hero Member
*
Offline Offline

Posts: 1480795266

View Profile Personal Message (Offline)

Ignore
1480795266
Reply with quote  #2

1480795266
Report to moderator
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
May 14, 2012, 05:00:28 PM
 #2

We have been quietly notifying the largest exchanges, merchant service providers and mining pools about this issue, and waited until they upgraded or patched their code to go public with this:
Responsible disclosure FTW.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
MrTiggr
Newbie
*
Offline Offline

Activity: 14


View Profile
May 14, 2012, 05:06:43 PM
 #3

GAVIN FTW   .. Outstanding work *bump* this.

#bitcoin-police
REF
Hero Member
*****
Offline Offline

Activity: 526


View Profile
May 14, 2012, 05:15:12 PM
 #4

good thing I updated to 0.6.2 today. Nice work on the client gavin, peter, and the rest of the team
Jan
Legendary
*
Offline Offline

Activity: 1042



View Profile
May 14, 2012, 05:17:50 PM
 #5

We have been quietly notifying the largest exchanges, merchant service providers and mining pools about this issue, and waited until they upgraded or patched their code to go public with this:
Responsible disclosure FTW.
+1

Mycelium let's you hold your private keys private.
Technomage
Legendary
*
Offline Offline

Activity: 1610


Affordable Physical Bitcoins - Denarium.com


View Profile WWW
May 14, 2012, 05:48:06 PM
 #6

Well done. Smiley

Denarium - Leading Physical Bitcoin Manufacturer - Special Xmas deals now live!
Kris
Donator
Hero Member
*
Offline Offline

Activity: 645


View Profile
May 14, 2012, 06:08:18 PM
 #7

Which email did you use to notify WalletBit?

Kind regards
Kris
coretechs
Donator
Sr. Member
*
Offline Offline

Activity: 362



View Profile
May 14, 2012, 06:08:49 PM
 #8

For anyone who is unaware, Forrest is the creator of the decentralized peer-to-peer mining pool p2pool - which will now be even more DoS resistant.  Smiley

Many thanks guys.

http://bitcoindoc.com - The Rise and Rise of Bitcoin | http://nxtportal.org - Nxt blockchain explorer
Luke-Jr
Legendary
*
Offline Offline

Activity: 2086



View Profile
May 14, 2012, 06:18:16 PM
 #9

For anyone who is unaware, Forrest is the creator of the decentralized peer-to-peer mining pool p2pool - which will now be even more DoS resistant.  Smiley
Uh, what? p2pool is more susceptible to DoS than other pools, and this fix to bitcoind/Bitcoin-Qt does nothing to change that.

Dansker
Hero Member
*****
Offline Offline

Activity: 740


Hello world!


View Profile
May 14, 2012, 06:23:21 PM
 #10

Explain it like I'm 10 please Smiley

Luke-Jr
Legendary
*
Offline Offline

Activity: 2086



View Profile
May 14, 2012, 06:25:34 PM
 #11

Explain it like I'm 10 please Smiley
"You really want to upgrade ASAP..."

Kris
Donator
Hero Member
*
Offline Offline

Activity: 645


View Profile
May 14, 2012, 06:41:16 PM
 #12

Every bitcoind upgraded on my side, Thanks.
bitcoinBull
Legendary
*
Offline Offline

Activity: 826


rippleFanatic


View Profile
May 14, 2012, 06:50:44 PM
 #13

For anyone who is unaware, Forrest is the creator of the decentralized peer-to-peer mining pool p2pool - which will now be even more DoS resistant.  Smiley

Many thanks guys.

Forrest's bitcoin address: 1HNeqi3pJRNvXybNX4FKzZgYJsdTSqJTbk


College of Bucking Bulls Knowledge
Coinabul
Hero Member
*****
Offline Offline

Activity: 588


Coinabul - Gold Unbarred


View Profile WWW
May 14, 2012, 06:56:09 PM
 #14

Well, this is good and bad. Good that you caught it!

You guys might want to include a link to the software update...

Anyways, bump, bump, bump!

Coinabul.com - Gold Unbarred
Website owners, let me put my ads on your site! PM me!
freewil
Member
**
Offline Offline

Activity: 92



View Profile
May 14, 2012, 07:26:04 PM
 #15

Was a network alert (getinfo.errors) broadcasted for this?
Dalkore
Legendary
*
Offline Offline

Activity: 1176


ASIC Miner Hosting: www.bitcoinasichosting.com


View Profile WWW
May 14, 2012, 07:44:53 PM
 #16

We have been quietly notifying the largest exchanges, merchant service providers and mining pools about this issue, and waited until they upgraded or patched their code to go public with this:
Responsible disclosure FTW.

Absolutely a good call.   Thank you.

Dalkore

[Winter Fire Sale] Hosting: $60.00 per KW) [6-month contracts] - Link
Transaction List: jayson3 +5 - ColdHardMetal +3 - Nolo +2 - CoinHoarder +1 - Elxiliath +1 - tymm0 +1 - Johnniewalker +1 - Oscer +1 - Davidj411 +1 - BitCoiner2012 +1 - dstruct2k +1 - Philj +1 - camolist +1 - exahash +1 - Littleshop +1 - Severian +1 - DebitMe +1 - lepenguin +1 - StringTheory +1 - amagimetals +1 - jcoin200 +1 - serp +1 - klintay +1 - -droid- +1 - FlutterPie +1
mog
Member
**
Offline Offline

Activity: 70

living and working in Iceland


View Profile WWW
May 14, 2012, 09:09:10 PM
 #17

It really says something when the first I hear of a critical vuln is when I'm getting the link to the patch.
Handled quite well gentleman, good job.
coretechs
Donator
Sr. Member
*
Offline Offline

Activity: 362



View Profile
May 15, 2012, 04:36:56 AM
 #18

For anyone who is unaware, Forrest is the creator of the decentralized peer-to-peer mining pool p2pool - which will now be even more DoS resistant.  Smiley
Uh, what? p2pool is more susceptible to DoS than other pools, and this fix to bitcoind/Bitcoin-Qt does nothing to change that.

If you run a p2pool node you need run bitcoind, so with this vulnerability patched the net result is a system that is less susceptible to DoS, is it not?  I didn't mean to suggest this bug had anything to do with p2pool itself, which Forrest made it clear in the p2pool thread.

Regarding the DoS susceptibility, do you mind answering in the p2pool thread?  I don't want to hijack/derail this thread with a pool discussion - http://bitcointalk.org/index.php?topic=18313.msg901218#msg901218


http://bitcoindoc.com - The Rise and Rise of Bitcoin | http://nxtportal.org - Nxt blockchain explorer
Nyaaan
Full Member
***
Offline Offline

Activity: 140


View Profile WWW
May 15, 2012, 01:34:20 PM
 #19

We have been quietly notifying the largest exchanges, merchant service providers and mining pools about this issue, and waited until they upgraded or patched their code to go public with this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2012-2459: Critical Vulnerability

A denial-of-service vulnerability that affects all versions of
bitcoind and Bitcoin-Qt has been reported and fixed. An attacker
could isolate a victim's node and cause the creation of blockchain
forks.

Because this bug could be exploited to severely disrupt the Bitcoin
network we consider this a critical vulnerability, and encourage
everybody to upgrade to the latest version: 0.6.2.

Backports for older releases (0.5.5 and 0.4.6) are also available if
you cannot upgrade to version 0.6.2.

Full technical details are being withheld to give people the
opportunity to upgrade.

Thanks to Forrest Voight for discovering and reporting the vulnerability.


Questions that might be frequently asked:

How would I know if I am the victim of this attack?

Your bitcoin process would stop processing blocks and would have a
different block count from the rest of the network (you can see the
current block count at websites like blockexplorer.com or
blockchain.info).  Eventually it would display the message:

"WARNING: Displayed transactions may not be correct!  You may need to
upgrade, or other nodes may need to upgrade."

(note that this message is displayed whenever your bitcoin process
detects that the rest of the network seems to have a different
block count, which can happen for several reasons unrelated to
this vulnerability).


Could this bug be used to steal my wallet?

No.


Could this bug be used to install malware on my system?

No.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQIcBAEBCgAGBQJPsTpaAAoJECnZ7msfxzDB76cQALBqcEb40dQOtopbsk7vHDuL
FL4xd56B1/s3idyHGeCuwJX5bgxGD9b3svayXhDiLo9O+5E3sxsLY1HehTXnU8KV
BGpIQ7I+XLDcmarGYrDLMNMDLFOp/1hTipi08X3cr6oHNdYOxGbdtqCQR8xxtdfh
Mmo07ReYYWamlF+QbwoXIJQOEka2UVeWWgmk1C+WW1phI3P3Of5EvWvkmOurZsY1
zew7G3sk0Lu8glxSt8qq1SKlDXOaSqTBPxs+2FtgkUplNrAIyufu0vCTsnC44oie
ndJD6XZAaG6cYr3adGQKmUjRR+oyZarMtBdDHBvYHkrQI4uQclL1aS7DhkLtH8kp
fBRHdqmbBJpmpWOcs+OZeaQCzrArKihuVVZqP4HYbHgGHLV3Ls1bebyWm5eLZH6Z
C5l3B4Hz/lp50gJpVsIZI291l3KWfoBW2qGyQv51U4uByLU8tPzgr5bdyo6YCo4N
XQZHveNInMDI8jSimGyHg7WNm0YjkSAM8PEIJhQuL+RaHKgN/ghLPR+1K1YZnMjq
BPdJZVDpP2bgClyj6P+UkhAplEoenxZUsjyRmcs9EWjHZo3UUI9MLZW96vkR0Wlv
UBgq0/jSNQ6s3U3YwKM8CDFJ4OB7Mu1Ln6sn+Tu5sl3xtPyapARA5K67FYSpvqVX
GNIME8aiNjICQmtIFiuX
=9L8G
-----END PGP SIGNATURE-----


Isn't Bitcoin meant to be public or something, not 'public when you want it to be'?
kjlimo
Legendary
*
Offline Offline

Activity: 1498


View Profile WWW
May 15, 2012, 02:24:43 PM
 #20

We have been quietly notifying the largest exchanges, merchant service providers and mining pools about this issue, and waited until they upgraded or patched their code to go public with this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2012-2459: Critical Vulnerability

A denial-of-service vulnerability that affects all versions of
bitcoind and Bitcoin-Qt has been reported and fixed. An attacker
could isolate a victim's node and cause the creation of blockchain
forks.

Because this bug could be exploited to severely disrupt the Bitcoin
network we consider this a critical vulnerability, and encourage
everybody to upgrade to the latest version: 0.6.2.

Backports for older releases (0.5.5 and 0.4.6) are also available if
you cannot upgrade to version 0.6.2.

Full technical details are being withheld to give people the
opportunity to upgrade.

Thanks to Forrest Voight for discovering and reporting the vulnerability.


Questions that might be frequently asked:

How would I know if I am the victim of this attack?

Your bitcoin process would stop processing blocks and would have a
different block count from the rest of the network (you can see the
current block count at websites like blockexplorer.com or
blockchain.info).  Eventually it would display the message:

"WARNING: Displayed transactions may not be correct!  You may need to
upgrade, or other nodes may need to upgrade."

(note that this message is displayed whenever your bitcoin process
detects that the rest of the network seems to have a different
block count, which can happen for several reasons unrelated to
this vulnerability).


Could this bug be used to steal my wallet?

No.


Could this bug be used to install malware on my system?

No.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQIcBAEBCgAGBQJPsTpaAAoJECnZ7msfxzDB76cQALBqcEb40dQOtopbsk7vHDuL
FL4xd56B1/s3idyHGeCuwJX5bgxGD9b3svayXhDiLo9O+5E3sxsLY1HehTXnU8KV
BGpIQ7I+XLDcmarGYrDLMNMDLFOp/1hTipi08X3cr6oHNdYOxGbdtqCQR8xxtdfh
Mmo07ReYYWamlF+QbwoXIJQOEka2UVeWWgmk1C+WW1phI3P3Of5EvWvkmOurZsY1
zew7G3sk0Lu8glxSt8qq1SKlDXOaSqTBPxs+2FtgkUplNrAIyufu0vCTsnC44oie
ndJD6XZAaG6cYr3adGQKmUjRR+oyZarMtBdDHBvYHkrQI4uQclL1aS7DhkLtH8kp
fBRHdqmbBJpmpWOcs+OZeaQCzrArKihuVVZqP4HYbHgGHLV3Ls1bebyWm5eLZH6Z
C5l3B4Hz/lp50gJpVsIZI291l3KWfoBW2qGyQv51U4uByLU8tPzgr5bdyo6YCo4N
XQZHveNInMDI8jSimGyHg7WNm0YjkSAM8PEIJhQuL+RaHKgN/ghLPR+1K1YZnMjq
BPdJZVDpP2bgClyj6P+UkhAplEoenxZUsjyRmcs9EWjHZo3UUI9MLZW96vkR0Wlv
UBgq0/jSNQ6s3U3YwKM8CDFJ4OB7Mu1Ln6sn+Tu5sl3xtPyapARA5K67FYSpvqVX
GNIME8aiNjICQmtIFiuX
=9L8G
-----END PGP SIGNATURE-----


Isn't Bitcoin meant to be public or something, not 'public when you want it to be'?

Sometimes you gotta let the "honest nodes" know about something to fix it before the "dishonest nodes" take advantage of it... I think that's an inevitable reality of fixing issues with the least disruption.

CampBX for buying BTCs, Coinbase for selling BTCs or Vircurex or Cryptsy for trading alternate cryptocurrencies like DOGEs

PM me with any questions on these sites!  Happy to help!

Bitcoin Poker at Seals                  Strike Sapphire Casino  Free games every hour & day!
  Get Free Bitcoins here.

Spondoolies-Tech or KnC Miner for the fastest mining hardware available!

Bitpay to help your business accept bitcoin payments!
Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!