Vulnerabilities discovered by Marcin Noga of Cisco Talos.
Talos is disclosing the presence of multiple vulnerabilities in the CPP and the Parity Ethereum clients.
TALOS-2017-0503 / CVE-2017-14457 describes a denial of service vulnerability and potential memory leak in libevm. The function is not currently enabled in the default build. This vulnerability only affects nodes which have manually enabled it during build time.
TALOS-2017-0508 / CVE-2017-14460 is an overly permissive cross-domain (CORS) whitelist policy vulnerability in the Ethereum Parity client. It can lead to the leak of sensitive data about existing accounts, parity settings and network configurations, in addition to accounts and parity settings modifications, if certain APIs have been turned on.
Further on, TALOS-2017-0464 - TALOS-2017-0471 / CVE-2017-12112 - CVE-2017-12119 describe multiple Authorization Bypass Vulnerabilities which an attacker could misuse to access functionality reserved only for users with administrative privileges without any credentials.
Finally, Talos found TALOS-2017-0471 / CVE-2017-12119, another denial of service vulnerabilities in the CPP-Ethereum JSON-RPC implementation. A specially crafted json request can cause an unhandled exception resulting in a denial of service.
Table 1 gives a brief overview of important security related JSON-RPC implementation details of the different Ethereum clients. Two of three clients are using sub-optimal implementations of the JSON-RPC interface. This leads to the serious security flaws which we are describing in detail below.
*Cross Origin Resource Sharing
TALOS-2017-0503 / CVE-2017-14457
Improper handling of smart contract code in the create2 opcode handler can lead to a denial of service. An attacker could hand over a huge amount of data to the SHA1 function which would take a long time for computation. The vulnerability can be used to perform a denial of service attack on all nodes in the Ethereum network using this implementation of the virtual machine library function. It is also a potential memory leak, because read out of bound data is returned to the attacker as a contract address. This function is not enabled by default, it has to be enabled by running ethvm with the -network Constantinople switch. More details can be found in the Talos vulnerability report.
TALOS-2017-0508 / CVE-2017-14460
Parity is a Rust based Ethereum client and one of the three most popular clients for the ethereum platform. It provides a rich JSON-RPC interface. This interface is turned on by default and exposes significant numbers of APIs. It comes with an overly permissive cross-domain (CORS) whitelist policy, which by default is set to '*'. Users running the Parity wallet visiting malicious websites are exposed to exploitation of this JSON-RPC daemon misconfiguration. This can lead to the leak of sensitive data about existing accounts, parity settings, network configurations, and to accounts’ and parity settings modifications if certain APIs has been turned on. More details can be found in the Talos vulnerability report.
TALOS-2017-0464 - TALOS-2017-0470 / CVE-2017-12112 - CVE-2017-12118
Improper authorization vulnerabilities exist in different CPP Ethereum API in their JSON-RPC implementation. An attacker can send a malicious JSON request which can be used to access restricted functionalities in the following CPP Ethereum API, resulting in authorization bypass.
TALOS-2017-0464 - admin_addPeer
TALOS-2017-0465 - admin_nodeInfo
TALOS-2017-0466 - admin_peers
TALOS-2017-0467 - miner_setEtherbase
TALOS-2017-0468 - miner_setGasPrice
TALOS-2017-0469 - miner_start
TALOS-2017-0470 - miner_stop
This may enable a remote attacker to access functionality reserved only for users with administrative privileges without the need for using any credentials. This is especially critical, because the interface is bound to 0.0.0.0 (all available IP addresses) and exposed to the world. The Content-Type should be set to ‘application/json’ while sending requests, but this requirement is not enforced. This means that even if the JSON-RPC daemon is running on a machine behind a NAT gateway, the JSON-RPC API can still be easily exploited by CSRF or SSRF attacks.
More details can be found in the Talos vulnerability report linked above.
TALOS-2017-0471 / CVE-2017-12119
Another denial of service vulnerability was found in the JSON-RPC server implementation of the CPP Ethereum client. Due to the lack of proper exception handling in some of the API an attacker may be able to send a malformed JSON package in order to crash the client/node. More details can be found in the Talos vulnerability report.
The following Snort Rules will detect exploitation attempts of some of these vulnerabilities. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org
Snort rules: 44707-44712, 44713
Overview
Talos is disclosing the presence of multiple vulnerabilities in the CPP and the Parity Ethereum clients.
TALOS-2017-0503 / CVE-2017-14457 describes a denial of service vulnerability and potential memory leak in libevm. The function is not currently enabled in the default build. This vulnerability only affects nodes which have manually enabled it during build time.
TALOS-2017-0508 / CVE-2017-14460 is an overly permissive cross-domain (CORS) whitelist policy vulnerability in the Ethereum Parity client. It can lead to the leak of sensitive data about existing accounts, parity settings and network configurations, in addition to accounts and parity settings modifications, if certain APIs have been turned on.
Further on, TALOS-2017-0464 - TALOS-2017-0471 / CVE-2017-12112 - CVE-2017-12119 describe multiple Authorization Bypass Vulnerabilities which an attacker could misuse to access functionality reserved only for users with administrative privileges without any credentials.
Finally, Talos found TALOS-2017-0471 / CVE-2017-12119, another denial of service vulnerabilities in the CPP-Ethereum JSON-RPC implementation. A specially crafted json request can cause an unhandled exception resulting in a denial of service.
Table 1 gives a brief overview of important security related JSON-RPC implementation details of the different Ethereum clients. Two of three clients are using sub-optimal implementations of the JSON-RPC interface. This leads to the serious security flaws which we are describing in detail below.
 |
| Table 1 |
*Cross Origin Resource Sharing
Details
TALOS-2017-0503 / CVE-2017-14457
Improper handling of smart contract code in the create2 opcode handler can lead to a denial of service. An attacker could hand over a huge amount of data to the SHA1 function which would take a long time for computation. The vulnerability can be used to perform a denial of service attack on all nodes in the Ethereum network using this implementation of the virtual machine library function. It is also a potential memory leak, because read out of bound data is returned to the attacker as a contract address. This function is not enabled by default, it has to be enabled by running ethvm with the -network Constantinople switch. More details can be found in the Talos vulnerability report.
TALOS-2017-0508 / CVE-2017-14460
Parity is a Rust based Ethereum client and one of the three most popular clients for the ethereum platform. It provides a rich JSON-RPC interface. This interface is turned on by default and exposes significant numbers of APIs. It comes with an overly permissive cross-domain (CORS) whitelist policy, which by default is set to '*'. Users running the Parity wallet visiting malicious websites are exposed to exploitation of this JSON-RPC daemon misconfiguration. This can lead to the leak of sensitive data about existing accounts, parity settings, network configurations, and to accounts’ and parity settings modifications if certain APIs has been turned on. More details can be found in the Talos vulnerability report.
TALOS-2017-0464 - TALOS-2017-0470 / CVE-2017-12112 - CVE-2017-12118
Improper authorization vulnerabilities exist in different CPP Ethereum API in their JSON-RPC implementation. An attacker can send a malicious JSON request which can be used to access restricted functionalities in the following CPP Ethereum API, resulting in authorization bypass.
TALOS-2017-0464 - admin_addPeer
TALOS-2017-0465 - admin_nodeInfo
TALOS-2017-0466 - admin_peers
TALOS-2017-0467 - miner_setEtherbase
TALOS-2017-0468 - miner_setGasPrice
TALOS-2017-0469 - miner_start
TALOS-2017-0470 - miner_stop
This may enable a remote attacker to access functionality reserved only for users with administrative privileges without the need for using any credentials. This is especially critical, because the interface is bound to 0.0.0.0 (all available IP addresses) and exposed to the world. The Content-Type should be set to ‘application/json’ while sending requests, but this requirement is not enforced. This means that even if the JSON-RPC daemon is running on a machine behind a NAT gateway, the JSON-RPC API can still be easily exploited by CSRF or SSRF attacks.
More details can be found in the Talos vulnerability report linked above.
TALOS-2017-0471 / CVE-2017-12119
Another denial of service vulnerability was found in the JSON-RPC server implementation of the CPP Ethereum client. Due to the lack of proper exception handling in some of the API an attacker may be able to send a malformed JSON package in order to crash the client/node. More details can be found in the Talos vulnerability report.
Coverage
Talos recommends Endpoint Security products such as Advanced Malware Protection(AMP) to mitigate client side exploitation of these vulnerabilities.The following Snort Rules will detect exploitation attempts of some of these vulnerabilities. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org
Snort rules: 44707-44712, 44713
