Bitcoin Core Vulnerability Disclosure and Fix
The impact of an infinite loop bug in miniupnp’s dependency on Bitcoin Core was disclosed, and the fix was released in Bitcoin Core version v22.0 on September 14, 2021.
This issue is being considered low severity.
Details
Miniupnp (the UPnP library used by Bitcoin Core) waits for discovery whenever it receives random data from a device on the network. Additionally, it allocates memory for each new device information. An attacker on the local network can pretend to be a UPnP device and continuously send bloated M-SEARCH replies to Bitcoin Core nodes until memory is exhausted.
Only users who run using -miniupnp
Options are affected by this bug because Miniupnp is turned off by default.
Attribution
Ronald Huveneers reported the infinite loop bug to the miniupnp project, and Michael Ford (Fanquake) reported it to the Bitcoin Core project, providing a PoC vulnerability to trigger OOM and a pull request to improve dependencies (including fixes).
Timeline
- 17-09-2020 – Ronald Huveneers initially reported infinite loop bug to miniupnp
- October 13, 2020 – Preliminary report sent to security@bitcoincore.org by Michael Ford
- 23-03-2021 – Fixes merged
- 13-09-2021 – v22.0 released
- July 31, 2024 – Public disclosure
When a vulnerability is discovered in essential software like Bitcoin Core, it’s crucial to understand the details of the issue and the steps taken to address it. In the case of the infinite loop bug in miniupnp, the dependency on Bitcoin Core was brought to light. This bug allowed attackers on the local network to exploit the UPnP library used by Bitcoin Core, leading to potential memory exhaustion.
Attribution plays a significant role in such disclosures, and in this case, Ronald Huveneers and Michael Ford played vital roles. Ronald reported the bug to the miniupnp project, while Michael alerted the Bitcoin Core project, providing essential information to address the vulnerability effectively.
The timeline of events leading to the fix being released showcases the coordinated efforts of the security community. From the initial report in 2020 to the final fix in 2021, each step was crucial in ensuring the security of Bitcoin Core users.
Overall, the handling of this vulnerability highlights the importance of collaboration and transparency in dealing with cybersecurity threats. By addressing issues promptly and efficiently, the Bitcoin Core team demonstrated their commitment to maintaining the integrity of the software.