Posts: Advisory and full disclosure for CVE-2018-20587 #637
Conversation
|
ACK FWIW, this is a general problem with services using non-privileged ports. |
| excerpt: > | ||
| A full disclosure of the impact of CVE-2018-20587, affecting all released | ||
| versions of Bitcoin Core, including the latest 0.17.1. Includes workarounds | ||
| to mitigate risks. |
There was a problem hiding this comment.
Nit: the excerpt is cut off at "to miti..." (I don't care whether this is fixed, but you might care).
There was a problem hiding this comment.
How about "Disclosure of the impact and mitigation of CVE-2018-20587, affecting all released versions of Bitcoin Core, including the latest 0.17.1." ? Would that fit?
|
|
||
| You may be affected by this issue if you have the RPC service enabled (default, with the headless bitcoind), and other users have access to run their own services on the same computer (either local or remote access). | ||
| If you are the only user of the computer running your node, you are not affected. | ||
| If you use the GUI but have not enabled the RPC service, you are not affected. |
There was a problem hiding this comment.
In the source text, this is formatted like three separate items (e.g. bullet points), but this is rendered as a single paragraph. I just want to make sure that's your intention. Preview:
There was a problem hiding this comment.
Yes, I prefer one-line-per-sentence simply for diff readability. A single paragraph is the intended end-user presentation.
| - 2018-12-14 Bui Thanh recommends that Bitcoin Core should not silently ignore failures to bind RPC listening ports. | ||
| - 2018-12-15 Wladimir J. van der Laan submits pull request #14968 to fix the issue. | ||
| - 2018-12-28 Due to the fix proposed in #14968 breaking the RPC service working on IPv4-only systems, and no straightforward way to resolve both issues, the fix is deferred. | ||
| - 2018-12-30 A complex and experimental solution to fix both issues is released in Bitcoin Knots 0.17.1.knots20181229. |
There was a problem hiding this comment.
Information about Knots is not relevant to this website, please remove this.
There was a problem hiding this comment.
Yes, it is. Far more than Bcash ABC, which has been included in similar contexts. Knots is part of Bitcoin, and a stepping stone to hopefully getting the fix into Core.
There was a problem hiding this comment.
If there is a Bitcoin Core PR that attempts to get this solution (I dont even know what it is?) upstream, then we can include that. Just the fact that someone, somewhere, wrote a patch they think addresses an issue is not worth putting in a timeline.
|
Should this be merged now, or are we waiting on something else? |
|
Agree that the reference to knots should be removed. It's frustrating that we have the same conversation about that over and over again. |
|
@jnewbery What's frustrating is that some people feel the need to repeatedly troll with some irrational anti-Knots bigotry, while at the same time including scams like "Bitcoin ABC". |
luke-jr
force-pushed
the
CVE-2018-20587
branch
from
63b4ad0 to
e8def03
Compare
|
Excerpt fixed. |
|
Controversial text aside, is this ready for merge or is it waiting for some additional approval? |
|
What policy are we following when choosing which CVE:s we post information about on the site? |
|
NACK. This is not the right place for this. This should be in documentation telling people how to safely use the RPC interface (we've always said that making RPC accessible to untrusted parties is unsafe). Putting it up as a blog post just means people will forget about it/miss it. |
|
I'm not aware of some "anti-Knots bigotry". No one is against Knots, but there is an expectation that things referenced on bitcoincore.org are either (a) sufficiently relevant to merit inclusion or (b) a sufficiently overlapping set of regular Bitcoin Core contributors contribute to the project that we may be willing to consider it supported. Sadly, Knots doesn't have many contributors, that doesn't mean its a bad idea or that people are against it, but it does mean that "Bitcoin Core" doesn't support it and, as a project, should be careful to recommend it. This would be just as true whether it was maintained by Wladimir as you, Luke. |
| CVE-2018-20587 is a Incorrect Access Control vulnerability that affects all currently released versions of Bitcoin Core, including the latest 0.17.1. | ||
|
|
||
| You may be affected by this issue if you have the RPC service enabled (default, with the headless bitcoind), and other users have access to run their own services on the same computer (either local or remote access). | ||
| If you are the only user of the computer running your node, you are not affected. |
There was a problem hiding this comment.
This is understated - sure, the discovery of this particular bug doesn't change this a ton, but you still have a lot of risk from other software running on your computer which can access your RPC port. Can we make this a much broader "risks when using RPC port" post? There was also the previous discussion a few months ago where some wallet was telling users to expose their RPC port to the internet which merits discussion.
|
@practicalswift All involved in triage of this CVE agreed posting publicly on it (in one form or another) was among the most effective ways to mitigate it. @TheBlueMatt I already said at the start, that Core docs should have some of this merged in. But quietly adding it to docs won't get much attention, and so doing both only makes sense if we're serious about having people act on it.
Both criteria are met here. (a) Knots is directly relevant since it provides an experimental fix that users can deploy and test immediately, hopefully resulting in any issues being addressed before a merge and release in Core. (b) Everyone who contributes to Core is also contributing to Knots, and Knots provides testing for things eventually merged into Core. The only difference is the policy for doing merges. |
|
Let's ignore the Knots drama. If it's still there when there's otherwise agreement that this PR should be merged, I can just open a separate PR based upon this one with an additional commit that removes the Knots stuff and merge that. I've done that before, e.g. #609 I'm a fan of updating the documentation in the Bitcoin Core docs/ directory and putting something into the release notes instead of publishing a long blog post that basically says that using a computer not under your exclusive control is unsafe---something that's always been true, even if there is now another known way to exploit that fundamental vulnerability via port binding. I'll put that on my Monday todo list. (Regardless, I'm still willing to merge this, but with @TheBlueMatt's NACK, I think it needs additional support first.) |
|
I'm fine with a blog post if we want more visibility, but if that's the case we should be more broad here. As I mentioned we also had recent issues with some folks recommending users expose their RPC ports publicly. Writing this up next to calling out that practice as bad may be merited, but more important is documentation (and maybe a pointer in the help text to tell people to read it).
… On Jan 18, 2019, at 19:04, David A. Harding ***@***.***> wrote:
Let's ignore the Knots drama. If it's still there when there's otherwise agreement that this PR should be merged, I can just open a separate PR based upon this one with an additional commit that removes the Knots stuff and merge that. I've done that before, e.g. #609
I'm a fan of updating the documentation in the Bitcoin Core docs/ directory and putting something into the release notes instead of publishing a long blog post that basically says that using a computer not under your exclusive control is unsafe---something that's always been true, even if there is now another known way to exploit that fundamental vulnerability via port binding. I'll put that on my Monday todo list. (Regardless, I'm still willing to merge this, but with @TheBlueMatt's NACK, I think it needs additional support first.)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
5a5ea93 Doc: add information about security to the JSON-RPC doc (David A. Harding) Pull request description: This documents some information about using the RPC interface securely, as suggested in bitcoin-core/bitcoincore.org#637 by @luke-jr and @TheBlueMatt. I think it should fit in well with #14458, but is not dependent on it (and shouldn't have any significant merge conflicts with it). Tree-SHA512: e09d82c3029ed17a8bcf50722ea25a8c6c514731f3bce01908cbb6fe48bc96a3068a025beabebc602d18e1bc0dc3f2602848abc05dca1d3efe2a988ee50068c0
|
Core docs are updated. Discussion at meeting today, sounds like the general feeling is not to have a dedicated blog post for it. |
…RPC doc 5a5ea93 Doc: add information about security to the JSON-RPC doc (David A. Harding) Pull request description: This documents some information about using the RPC interface securely, as suggested in bitcoin-core/bitcoincore.org#637 by @luke-jr and @TheBlueMatt. I think it should fit in well with bitcoin#14458, but is not dependent on it (and shouldn't have any significant merge conflicts with it). Tree-SHA512: e09d82c3029ed17a8bcf50722ea25a8c6c514731f3bce01908cbb6fe48bc96a3068a025beabebc602d18e1bc0dc3f2602848abc05dca1d3efe2a988ee50068c0
…RPC doc 5a5ea93 Doc: add information about security to the JSON-RPC doc (David A. Harding) Pull request description: This documents some information about using the RPC interface securely, as suggested in bitcoin-core/bitcoincore.org#637 by @luke-jr and @TheBlueMatt. I think it should fit in well with bitcoin#14458, but is not dependent on it (and shouldn't have any significant merge conflicts with it). Tree-SHA512: e09d82c3029ed17a8bcf50722ea25a8c6c514731f3bce01908cbb6fe48bc96a3068a025beabebc602d18e1bc0dc3f2602848abc05dca1d3efe2a988ee50068c0
…RPC doc 5a5ea93 Doc: add information about security to the JSON-RPC doc (David A. Harding) Pull request description: This documents some information about using the RPC interface securely, as suggested in bitcoin-core/bitcoincore.org#637 by @luke-jr and @TheBlueMatt. I think it should fit in well with bitcoin#14458, but is not dependent on it (and shouldn't have any significant merge conflicts with it). Tree-SHA512: e09d82c3029ed17a8bcf50722ea25a8c6c514731f3bce01908cbb6fe48bc96a3068a025beabebc602d18e1bc0dc3f2602848abc05dca1d3efe2a988ee50068c0
6 participants
Details regarding a local MITM attack on the RPC service (executable by different users on the same machine)
(In addition to the notice here, it probably also makes sense to merge some of this advice to Core's docs.)