Bitcoin Core developers have historically disclosed just 10 vulnerabilities affecting older software versions, as reported by Bitcoin Optech. The vulnerabilities, fixed in more recent releases, could have allowed various attacks on nodes running outdated Bitcoin Core versions.
The vulnerabilities are relevant given that Bitcoin Core developers recently introduced a new security disclosure policy to improve transparency and communication regarding vulnerabilities. Historically, the project has faced criticism for inadequate public disclosure of security-critical bugs, leading to a perception that Bitcoin Core is free of bugs.
Libbitcoin developer Eric Voskuil wrote, in a message to the Bitcoin mailing list, that this perception is misleading and potentially hazardous, as it underestimates the risks of running outdated software versions.
Active Bitcoin node vulnerabilities
CryptoSlate has analyzed active Bitcoin nodes to identify how many are currently vulnerable to each attack vector. Roughly 787 (5.94%) out of 14,001 nodes run versions older than 0.21.0.
This figure is significant enough to be considered a problem the Bitcoin community may need to address. Efforts can be made to encourage these node operators to upgrade to newer versions to enhance the Bitcoin network’s overall security, efficiency, and future readiness.
While not an immediate critical issue, it is undoubtedly a concern that warrants attention. It’s not an existential threat to Bitcoin, as most of the network still runs up-to-date software. However, it represents a non-trivial portion of the network that could cause issues or be exploited under certain circumstances. It indicates a need for better communication and incentives within the Bitcoin community to encourage more frequent updates.
Risks for active Bitcoin nodes
| Vulnerability | Affected Versions | Vulnerable Nodes |
|---|---|---|
| Remote code execution due to a bug in miniupnpc (CVE-2015-6031) | Before 0.11.1 | 22 |
| Node crash DoS from multiple peers with large messages (CVE-2015-3641) | Before 0.10.1 | 5 |
| Censorship of unconfirmed transactions | Before 0.21.0 | 787 |
| Unbound ban list CPU/memory DoS (CVE-2020-14198) | Before 0.20.1 | 185 |
| Netsplit from excessive time adjustment | Before 0.21.0 | 787 |
| CPU DoS and node stalling from orphan handling | Before 0.18.0 | 70 |
| Memory DoS from large inv messages | Before 0.20.0 | 182 |
| Memory DoS using low-difficulty headers | Before 0.15.0 | 29 |
| CPU-wasting DoS due to malformed requests | Before 0.20.0 | 182 |
| Memory-related crash in attempts to parse BIP72 URIs | Before 0.20.0 | 182 |
Per the…
Click Here to Read the Full Original Article at Bitcoin (BTC) News | CryptoSlate…
