The Ethereum ecosystem is no different than the Windows or IoT landscape, where security flaws remain unpatched for long periods of time, despite the availability of public patches.
In a report shared with ZDNet today, security researchers from SRLabs revealed that a large chunk of the Ethereum client software that runs on Ethereum nodes has not yet received a patch for a critical security flaw the company discovered earlier this year.
"According to our collected data, only two thirds of nodes have been patched so far," said Karsten Nohl, one of the researchers.
Parity DOS flaw can lead to 51% attacks
The vulnerability is a denial of service (DoS) vulnerability in the Parity client that can be used to run Ethereum nodes. Per SRLabs, the vulnerability allows an attacker to remotely crash Ethereum nodes (that run Parity) by sending malformed packets.
The issue was fixed with the release of the Parity Ethereum client v2.2.10, in mid-February this year, a few days after it was reported.
While most DoS flaws are considered "low impact" for most products, this is not the case in the cryptocurrency world.
DoS flaws allow attackers to crash legitimate nodes. Attackers often exploit DoS vulnerabilities against blockchains to allow malicious nodes to gain a majority over legitimate ones.
When attackers crash enough nodes, they can overwhelm the network and gain a 51% majority on the blockchain, giving them the ability to carry out double-spend attacks and validate malicious transactions.
Plenty of Ethereum clients remain unpatched
A month after the issues SRLabs reported were patched, the company scanned part of the Ethereum blockchain to see how many Parity nodes had updated their clients.
"One month after this alert, we used data from Ethernodes.org to assess the security of the Ethereum node landscape and found that around 40% of all scanned Parity Ethereum nodes [...] remained unpatched and thus vulnerable to the mentioned attack," Nohl said.
The unpatched Parity clients made up roughly 15% of all the scanned nodes, meaning that 15% of all Ethereum nodes were vulnerable to 51% attacks.
Furthermore, more extensive scans also revealed that 7% of active Parity Ethereum nodes have not been patched for nine months -- not receiving a fix for a critical security issue patched in July 2019.
The situation was also similar for nodes that ran a different Ethereum node client --Go-Ethereum (Geth) -- with 44% not receiving a critical security update (v1.8.21).
Subsequent scans carried out over the past two months, also showed an extremely slow patching pace, with the numbers of unpatched clients barely going down.
Flawed Ethereum patching processes
Nohl blames this slow patching rhythm on current update systems employed by both Parity and Geth.
"The Parity Ethereum has an automated update process - but it suffers from high complexity and some updates are left out," Nohl said.
Parity clients that have been configured incorrectly will not receive automatic updates, even if node maintainers believe they are. Any Parity client that doesn't synchronize with the main Ethereum blockchain, or is not available from all nodes, will not receive updates.
On the other hand, Geth lacks an automatic update system altogether, making node patching a manual process that requires the operator to keep an eye out for patches and apply them manually when they're available.
All of these issues put all Ethereum users at risk, and not just the nodes running unpatched versions. The number of unpatched notes may not be enough to carry out a direct 51% attack, but these vulnerable nodes can be crashed to reduce the cost of a 51% attack on Ethereum, currently estimated at around $120,000 per hour.
However, Nohl warns that the patch gap is only one of the issues. Patching speed is another, and the pace at which the patch gap shrinks to values that make 51% attacks unfeasible is also an important factor.
"Our research suggests that there was a time window when a 51% attack was more likely to happen -- just after the security patch for the DoS vulnerability was released," Nohl told ZDNet. "The likelihood will shoot up again when the next bug is found, as long as patching stays a mostly manual and slow process."
Furthermore, "the consequences of the patch gap would be most severe if a remote code execution were found in a popular client software," Nohl said, as RCE flaws can be exploited to take over nodes altogether, for scenarios even more dangerous and damaging than 51% attacks.
The bad news is that these problems are not unique to Ethereum and its node client software.
"Patch problems are widespread among blockchain clients," Nohl told ZDNet. "The patch gap signals a deep-rooted mistrust in central authority, including such any authority that can automatically update software on your computer."
"The blockchain patch gap is more critical for clients that process more complex protocols, in particular smart contacts, since these protocols typically create more surface for bugs that need to be patched.
"Ethereum as the largest smart contract technology is of most concern," Nohl said.