Bug in Bitcoin code also opens smaller cryptocurrencies to attacks

Simple denial of service bug can crash unpatched Bitcoin network nodes and may also affect many Bitcoin-based cryptocurrency offshoots.

The Bitcoin team fixed today a severe vulnerability in the software that underpins the entire Bitcoin network.

The vulnerability is tracked as CVE-2018-17144 and is categorized as a simple "denial of service" (DoS) issue. While this classification may play down its importance, as most DoS bugs cause simple crashes, this vulnerability has a more severe impact than most people believe.

This is because CVE-2018-17144 affects Bitcoin Core, the software that Bitcoin nodes (miners) run on their servers, and the software that keeps the entire Bitcoin network up and running.

Also: Bitcoin Gold delisted from major cryptocurrency exchange after refusing to pay hack damages

"[It] can take down the network," Jason Glassberg, co-founder of Casaba Security, told ZDNet today. "That would affect transactions in the sense that they cannot be completed, but does not appear to open up a way to steal or manipulate wallets."

Glassberg's assessment was confirmed by other cryptocurrency experts as well, who also pointed out this bug can be exploited remotely.

But while users' funds are not as risk, an attacker can use this vulnerability to intentionally crash Bitcoin nodes.

If an attacker controls or adds enough malicious nodes to the Bitcoin network and then causes a crash, he can execute a so-called 51% attack on the Bitcoin network and manipulate transactions for his financial gain.

According to this website, under normal circumstances, it currently costs about $450,000 to mount a 51% attack for an hour under normal conditions, but by exploiting this bug, an attacker can reduce this cost to a smaller and more doable value.

According to the Bitcoin team, exploitation is also rather simple, as it only relies on sending malformed transactions on the Bitcoin network.

"Older versions of Bitcoin Core will crash if they try to process a block containing a transaction that attempts to spend the same input twice," the Bitcoin Core team explained in a security advisory released today.

All Bitcoin Core versions between 0.14.0 and 0.16.2 are considered vulnerable. This covers all Bitcoin Core releases since March 2017. Version 0.16.3 was released today to address this issue. Bitcoin Knots, a fork, and alternative of the Bitcoin Core software, was also confirmed to be affected, and also received a patch.

The CVE-2018-17144 patch was also ported to Litecoin, a cryptocurrency that started out as a fork of the original Bitcoin project code.

But Emin Gün Sirer, a professor at Cornell University and a renowned cryptographer and cryptocurrency expert, says this bug was only fixed in Litecoin after the Bitcoin Core 0.16.3 release, meaning the Litecoin project was never informed of the issue in advance.

"Copycat currencies are at risk," Sirer said today, referring to all the cryptocurrencies that have been forked from the Bitcoin code in the past decade.

Also: Bitcoin: A cheat sheet for professionals

"By definition, there's always a group upstream that knows their vulnerabilities," he warned, alluding that attackers keeping an eye on the main Bitcoin branch may attempt to exploit this flaw on smaller cryptocurrencies where the patch has not been ported yet, and where 51 percent attacks are even cheaper and easier to carry out when compared to the costs of mounting one against Bitcoin's massive network.

Readers that are only owners of Bitcoin and other cryptocurrency funds, this bug is not a direct threat, but if readers are also running their own mining rigs, then they should look into the vulnerability and see if it also affects their mining rig's software.

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories: