Author: Luke Dashjr 2019-11-22 17:13:14
Published on: 2019-11-22T17:13:14+00:00
CVE-2018-20586 is a log injection vulnerability that affects Bitcoin Core. Any software that has access to the RPC port can create fake or confusing entries in the debug log without requiring valid authentication. However, the RPC port is by default only exposed to the local machine. The vulnerability was introduced in 2016 and fixed in December 2018 with the release of v0.17.1. To exploit this vulnerability, the malicious software must either be running on the same machine as the node, have the ability to proxy connections to the node via the local machine, or the node must be configured to accept RPC connections from a network via which the attacker can connect. Additionally, a human user must read the debug log and act on or otherwise believe the injected data, in a way that is somehow harmful.The attacker can add nearly any content to the request to inject it into the log, and to ensure their entire request is injected, standard spaces would need to be replaced with alternative whitespace characters, and newlines would need to become other control characters. Because the injected data must use such non-standard characters, it is most likely to not fool other software parsing the debug log, and only a human visually reading it.POST requests are now sanitised before being logged, removing all characters that shouldn't be in an ordinary POST request to fix this vulnerability. Timeline shows that the vulnerability was introduced in January 2015 and merged to master git repository in September 2015. Practicalswift disclosed the vulnerability to the security team in October 2018, and the fix was merged to the master git repository on November 5th and to the 0.17 git repository on November 30th. The vulnerability existence was disclosed to bitcoin-dev ML in June 2019 and its details were disclosed on November 22nd, 2019. Credit for discovering and fixing the vulnerability goes to practicalswift.
Updated on: 2023-05-20T21:09:14.665531+00:00