ZMQ: Update to 4.3.1 #657
Merged
ZMQ: Update to 4.3.1 #657
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bug description
QTUM has a vulnerable version of the dependency zeromq, and puts the users which have this feature enabled at risk for a remote-code-execution bug related to CVE-2019-6250 .
This bug can also be triggered via a malicious website talking to localhost via a browser that is on the same computer as a full node with zeromq enabled, using a "DNS rebinding attack". Many
automated tools to perform these attacks now exist, some written by Google Project Zero researchers.
Many block explorers and mining pools use zeromq and are particularly at risk. Exchanges may also have this feature enabled. This vulnerability can lead to exfiltration of private keys, loss of funds and potentially backdooring of servers.
Example Scenarios
Remote Node attack
Local Node attack
Any application which uses a QTUM node with zeromq enabled is vulnerable.
All versions of zeromq from 4.2.0 to 4.3.0 are vulnerable, so this Pull Request upgrades QTUM to 4.3.1, bringing QTUM in sync with BTC upstream.
Block explorers and mining pools should be updated with this new dependency, as well as any other applications that enable zeromq. Changing configurations to add authentication to zeromq and specifically not trust all connections from localhost is also highly encouraged.
A bounty would be greatly appreciated at this address:
and will help fund my future security research in QTUM.
My GPG keys can be obtained from Keybase if desired.
Thanks,
Duke Leto