Denial of service in Bitcoin core
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-17145 |
| CWE-ID | CWE-399 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
Bitcoin Core Other software / Other software solutions Bitcoin Knots Server applications / Other server solutions |
| Vendor |
Bitcoin Bitcoin Knots |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Resource management error
EUVDB-ID: #VU46673
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-17145
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources with the applicatoin. A remote attacker can flood the application with multiple transaction inv messages with random hashes and perform a denial of service (DoS) attack, aka INVDoS.
Install updates from vendor's website.
Vulnerable software versionsBitcoin Core: 0.16.0 - 0.16.1
Bitcoin Knots: 0.16.0 - 0.16.1
External linkshttp://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-17145
http://github.com/bitcoin/bitcoin/blob/v0.16.2/doc/release-notes.md
http://invdos.net
http://invdos.net/paper/CVE-2018-17145.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
