INVDoS, a severe DoS issue in Bitcoin core remained undisclosed for two years

The INVDoS (Bitcoin Inventory Out-of-Memory Denial-of-Service)
Attack would have allowed hackers to crash Bitcoin nodes and alternative chains.

Two years ago, the Bitcoin protocol engineer Braydon Fuller. discovered a major uncontrolled memory resource consumption denial-of-service vulnerability (INVDoS), tracked as CVE-2018-17145, that affected the peer-to-peer network code of three implementations of Bitcoin and other blockchains, including Litecoin, Namecoin, and Decred,

The researcher kept details of the flaw private in order to avoid threat actors exploiting the issue, but this week the issue was disclosed after an independent researcher found it in another cryptocurrency leveraging an older version of the Bitcoin core.

Fuller discovered that the INVDoS flaw could be exploited by an attacker by using malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled memory resource consuption, which would trigger a DoS condition (i.e. server crash).

“There was an uncontrolled resource consumption and out-of-memory (OOM) vulnerability that could have been easily exploited in a denial-of-service (DoS/DDoS) attack against many Bitcoin, Litecoin, Namecoin and Decred nodes by any other network participant.” reads the paper published by the expert.

“At the time of the discovery, this represented more than 50% of publicly-advertised Bitcoin nodes with inbound traffic, and likely a majority of miners and exchanges.”

The INVDoS flaw affects Bitcoin Core v0.16.0, Bitcoin Core v0.16.1, Bitcoin Knots v0.16.0, all beta versions of Bcoin up to v1.0.0-pre, all versions of Btcd up to v0.20.1-beta, Litecoin Core v0.16.0, Namecoin Core v0.16.1, and all versions of Dcrd up to v1.5.1.
The issue has been patched in Bitcoin Core v0.16.2+, Bitcoin Knots v0.16.2+, Bcoin v1.0.2+, Btcd v0.21.0-beta+, Litecoin Core v0.16.2+, Namecoin v0.16.2+, and Dcrd v1.5.2+ releases.

Fuller pointed out that the severity of the Invdos flaw is higher compared with other DoS issue vulnerability because its exploitation could cause loss of funds or revenue.

“This could be through a loss of mining time or expenditure of electricity by shutting down nodes and delaying blocks or causing the network to temporarily partition.” continues the paper. “It could also be through disruption and delay of time sensitive contracts or prohibiting economic activity. That could affect commerce, exchanges, atomic swaps, escrows and lightning network HTLC payment channels. There has not been a known exploitation of this vulnerability in the wild.”

The CVE-2018-17145 was independently discovered a few weeks ago by the Bitcoin protocol engineer Javed Khan, while assessing the the chain behind the Decred cryptocurrency.

Khan reported the flaw as part of the Decred bug bounty program causing its public disclosure.

The good news is that both experts are not aware of attacks in the wild exploiting the flaw.

“There has not been a known exploitation of this vulnerability in the wild,” Fuller and Khan said. “Not as far as we know.”

Pierluigi Paganini

(SecurityAffairs – hacking, invdos)

Leave a Reply

Your email address will not be published. Required fields are marked *