Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update zeromq to 4.3.1 #20

Merged
merged 1 commit into from
Feb 26, 2019
Merged

Update zeromq to 4.3.1 #20

merged 1 commit into from
Feb 26, 2019

Conversation

leto
Copy link
Contributor

@leto leto commented Feb 19, 2019

Bug description

Snowgem has a vulnerable version of the dependency zeromq, and puts the users which have this feature enabled at risk for a remote-code-execution bug related to CVE-2019-6250 .

This bug can also be triggered via a malicious website talking to localhost via a browser that is on the same computer as a full node with zeromq enabled, using a "DNS rebinding attack". Many
automated tools to perform these attacks now exist, some written by Google Project Zero researchers.

Many block explorers and mining pools use zeromq and are particularly at risk. Exchanges may also have this feature enabled. This vulnerability can lead to exfiltration of private keys, loss of funds and potentially backdooring of servers.

Example Scenarios

Remote Node attack

  • Various unix user accounts exist on the same server as an instance of an XSG full node with zeromq enabled, such as Snowgem Explorer
  • Unprivileged user on the same machine as user of Insight explorer is compromised
  • User uses zeromq CVE-2019-6250 via localhost to steal wallet.dat, leave backdoor/etc

Local Node attack

  • Developer runs a development/testing version of a zeromq-enabled XSG full node on localhost, such as Snowgem Explorer
  • Developer browses to a malicious website
  • Website uses DNS rebinding attack to communicate directly with zeromq
  • Website uses zeromq CVE-2019-6250 to steal all funds and leave a backdoor/etc

Any application which uses a XSG node with zeromq enabled is vulnerable, Insight explorers are just a common and well-known example.

All versions of zeromq from 4.2.0 to 4.3.0 are vulnerable, so this Pull Request upgrades XSG to 4.3.1, bringing XSG in sync with BTC upstream.

Block explorers and mining pools should be updated with this new dependency, as well as any other applications that enable zeromq. Changing configurations to add authentication to zeromq and specifically not trust all connections from localhost is also highly encouraged.

A bounty would be greatly appreciated at this address:

s1PMo4JPf9Tsacw7CH6Nv6diK3g4ghXLJ9s

and will help fund my future security research in XSG.
My GPG keys can be obtained from Keybase if desired.

Thanks,
Duke Leto

@TENTOfficial
Copy link
Owner

Thanks for your pull

@TENTOfficial TENTOfficial reopened this Feb 26, 2019
@TENTOfficial TENTOfficial merged commit 057a6ec into TENTOfficial:master Feb 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@leto @TENTOfficial