The Ethereum ecosystem is no different from the Windows or IoT landscape, where security flaws, despite the availability of public patches, remain unpatched for long periods of time SRLabs ‘ security researchers revealed that a large portion of Ethereum client software running on Ethereum nodes has not yet received a patch for the company’s critical security flaw discovered earlier this year.
“According to our collected data, only two thirds of nodes have been patched so far,” said Karsten Nohl, one of the researchers.
PARITY DOS FLAW CAN LEAD TO 51% ATTACKS The vulnerability in the Parity client is a Denial of Service (DoS) vulnerability that can be used for running Ethereum nodes. By sending malformed packets, the vulnerability allows an attacker to crash Ethereum nodes (that run Parity) remotely. The issue was resolved with the release of the Parity Ethereum client v2.2.10, a few days after it was reported in mid-February this year.
While for most products most DoS flaws are considered “low impact,” this is not the case in the world of cryptocurrency. DoS flaws allow legitimate nodes to crash to attackers. Attackers frequently exploit blockchain DoS vulnerabilities to allow malicious nodes to gain a majority over legitimate nodes.
When attackers crash enough nodes, they can overwhelm the network and gain a majority of 51 percent on the blockchain, enabling them to perform double-spending attacks and validate malicious transactions.
PLENTY OF ETHEREUM CLIENTS REMAIN UNPATCHED
The company scanned part of the Ethereum blockchain a month after the issues reported by SRLabs were patched to see how many Parity nodes had updated their customers.
“One month after this alert, we used data from Ethernodes.org to assess the security of the Ethereum node landscape and found that around 40% of all scanned Parity Ethereum nodes remained unpatched and thus vulnerable to the mentioned attack,” Nohl said.
More extensive scans also revealed that for nine months 7 percent of active Parity Ethereum nodes have not been patched— not receiving a fix for a critical security issue patched in July 2019. Subsequent scans over the past two months also showed an extremely slow patching pace, with unpatched customer numbers barely dropping.
FLAWED ETHEREUM PATCHING PROCESSES
Nohl blames the current update systems used by both Parity and Geth for this slow patching rhythm.
“The Parity Ethereum has an automated update process – but it suffers from high complexity and some updates are left out,” Nohl said.
Incorrectly configured parity clients will not receive automatic updates, even if node maintainers believe they are. No updates will be received by any Parity client that does not synchronize with the main blockchain of Ethereum, or is not available from all nodes.
On the other hand, Geth lacks an entirely automatic update system, making node patching a manual process requiring the operator to keep an eye out for patches and manually apply them when they are available.
All these issues are putting at risk all Ethereum users, not just nodes running unpatched versions. The number of unpatched notes may not be sufficient to carry out a direct 51 percent attack, but these vulnerable nodes can be crashed to reduce the cost of an Ethereum 51 percent attack, currently estimated at about $120,000 per hour.
Nohl warns, though, that the patch gap is just one of the problems. Patching speed is another, and also an important factor is the pace at which the patch gap shrinks to values that make attacks of 51 percent unfeasible. “Our research suggests that there was a time window when a 51% attack was more likely to happen — just after the security patch for the DoS vulnerability was released,” Nohl told ZDNet. “The likelihood will shoot up again when the next bug is found, as long as patching stays a mostly manual and slow process.”
Furthermore, “the consequences of the patch gap would be most severe if a remote code execution were found in a popular client software,” Nohl said that since RCE flaws can be exploited to take over nodes altogether, even more dangerous and damaging scenarios than attacks by 51 percent.
The bad news is that Ethereum and its node client software are not unique to these issues.
“Patch problems are widespread among blockchain clients,” Nohl told ZDNet. “The patch gap signals a deep-rooted mistrust in central authority, including such any authority that can automatically update software on your computer.” The blockchain patch gap is more critical for clients processing more complex protocols, especially smart contacts, as these protocols generate more surfaces for bugs that need to be patched.
“Ethereum as the largest smart contract technology is of most concern,” Nohl said.