6% of Bitcoin nodes running outdated software vulnerable to exploits

Share This Post

Bitcoin Core developers have historically disclosed just 10 vulnerabilities affecting older software versions, as reported by Bitcoin Optech. The vulnerabilities, fixed in more recent releases, could have allowed various attacks on nodes running outdated Bitcoin Core versions.

The vulnerabilities are relevant given that Bitcoin Core developers recently introduced a new security disclosure policy to improve transparency and communication regarding vulnerabilities. Historically, the project has faced criticism for inadequate public disclosure of security-critical bugs, leading to a perception that Bitcoin Core is free of bugs.

Libbitcoin developer Eric Voskuil wrote, in a message to the Bitcoin mailing list, that this perception is misleading and potentially hazardous, as it underestimates the risks of running outdated software versions.

Active Bitcoin node vulnerabilities

CryptoSlate has analyzed active Bitcoin nodes to identify how many are currently vulnerable to each attack vector. Roughly 787 (5.94%) out of 14,001 nodes run versions older than 0.21.0.

This figure is significant enough to be considered a problem the Bitcoin community may need to address. Efforts can be made to encourage these node operators to upgrade to newer versions to enhance the Bitcoin network’s overall security, efficiency, and future readiness.

While not an immediate critical issue, it is undoubtedly a concern that warrants attention. It’s not an existential threat to Bitcoin, as most of the network still runs up-to-date software. However, it represents a non-trivial portion of the network that could cause issues or be exploited under certain circumstances. It indicates a need for better communication and incentives within the Bitcoin community to encourage more frequent updates.

Risks for active Bitcoin nodes

VulnerabilityAffected VersionsVulnerable Nodes
Remote code execution due to a bug in miniupnpc (CVE-2015-6031)Before 0.11.122
Node crash DoS from multiple peers with large messages (CVE-2015-3641)Before 0.10.15
Censorship of unconfirmed transactionsBefore 0.21.0787
Unbound ban list CPU/memory DoS (CVE-2020-14198)Before 0.20.1185
Netsplit from excessive time adjustmentBefore 0.21.0787
CPU DoS and node stalling from orphan handlingBefore 0.18.070
Memory DoS from large inv messagesBefore 0.20.0182
Memory DoS using low-difficulty headersBefore 0.15.029
CPU-wasting DoS due to malformed requestsBefore 0.20.0182
Memory-related crash in attempts to parse BIP72 URIsBefore 0.20.0182

Per the disclosure, the most widespread vulnerability affected versions prior to 0.21.0, potentially impacting 787 nodes. This flaw could enable censorship of unconfirmed transactions and cause netsplits due to excessive time adjustments.

Three separate vulnerabilities affected versions before 0.20.0, each potentially impacting 182 nodes. These included a memory DoS from large inv-messages, a CPU-wasting DoS from malformed requests, and a memory-related crash when parsing BIP72 URIs.

An unbound ban list CPU/memory DoS vulnerability (CVE-2020-14198) affected versions prior to 0.20.1, potentially putting 185 nodes at risk. Earlier versions were susceptible to other attacks, such as a CPU DoS and node stalling from orphan handling (before 0.18.0, affecting 70 nodes) and a memory DoS using low-difficulty headers (before 0.15.0, impacting 29 nodes).

The oldest vulnerabilities disclosed included a remote code execution bug in miniupnpc (CVE-2015-6031) affecting versions before 0.11.1 and a node crash DoS from large messages (CVE-2015-3641) in versions prior to 0.10.1. These affected 22 and 5 nodes, respectively, indicating that very few are still running such outdated software.

New Bitcoin developer disclosure policy

The new policy categorizes vulnerabilities into four severity levels: low, medium, high, and critical. Low-severity bugs, which are difficult to exploit or have minimal impact, will be disclosed two weeks after a fixed version is released, with a pre-announcement made simultaneously.

Medium and high-severity bugs, which have more significant impacts, will be disclosed two weeks after the last affected release reaches its end-of-life (EOL), typically one year after the fixed version is first released. A pre-announcement will be made two weeks before disclosure. Critical bugs threatening the network’s integrity will require an ad-hoc disclosure procedure.

The policy will be implemented gradually. All vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier will be disclosed immediately. In July, vulnerabilities fixed in version 22.0 will be disclosed, followed by those fixed in version 23.0 in August. This process will continue until all EOL versions have been addressed.

This initiative aims to set clear expectations for security researchers, incentivizing them to find and responsibly disclose vulnerabilities. By making security bugs available to a broader group of contributors, the policy seeks to prevent future issues and enhance the overall security of the Bitcoin network.

Per the Bitcoin Development Mailing List, the policy’s gradual adoption will allow the community to adjust and provide feedback on its impact.

Node operators still using affected versions are strongly advised to upgrade to the latest release to mitigate these potential risks.

The post 6% of Bitcoin nodes running outdated software vulnerable to exploits appeared first on CryptoSlate.

Read Entire Article
spot_img
- Advertisement -spot_img

Related Posts

Fed Pauses Rate Hikes, Cuts Treasury Redemption Cap as Tariff Effects Loom

The US central bank opted to hold the federal funds rate steady within the range of 425% to 450%, emphasizing that “inflation remains somewhat elevated” Powell Highlights Tariff Challenges in

On-Chain Data Signals Key Test For Solana At $135 Level – Insights

Solana has been struggling since late January, experiencing a sharp decline alongside the broader crypto market SOL has lost over 60% of its value, with bulls now fighting to hold onto current price

Trump’s crypto Czar slams media for misrepresenting divestment as dump

White House AI and crypto advisor David Sacks criticized claims that he “dumped” his crypto holdings and clarified that, after being appointed by President Donald Trump, he was required

Bitcoin Price Watch: Bulls Aim for $90K, but Resistance Stands in the Way

Bitcoin is trading at $84,502, commanding a market cap of $167 trillion, representing 603% dominance in the $278 trillion crypto economy With a 24-hour trading volume of $26 billion and an intraday

Shiba Inu Price Ready To Bounce Off 3.5 Year Triangle For 660% Surge Toward ATH

Crypto analyst The Cryptagon has provided a bullish outlook for the Shiba Inu price The analyst revealed that the meme coin is ready to bounce off an ascending triangle, which could send its price to

Tom Emmer says 1M Bitcoin reserve will be enacted under current Congress

Congressman and Vice Chairman of the Digital Assets Subcommittee Tom Emmer believes the strategic Bitcoin (BTC) reserve plan to acquire 1 million BTC will be enacted before the end of this Congress