CVE-2020-26264 - OpenCVE

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ethereum	Go Ethereum

Configuration 1 [-]

cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46	Patch Third Party Advisory
https://github.com/ethereum/go-ethereum/pull/21896	Patch Third Party Advisory
https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25	Third Party Advisory
https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-12-11T16:45:24

Updated: 2020-12-11T16:45:24

Reserved: 2020-10-01T00:00:00

Link: CVE-2020-26264

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-12-11T17:15:12.793

Modified: 2020-12-14T18:06:07.520

Link: CVE-2020-26264

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"containers": {"cna": {"affected": [{"product": "go-ethereum", "vendor": "ethereum", "versions": [{"status": "affected", "version": "< 1.9.25"}]}], "descriptions": [{"lang": "en", "value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-11T16:45:24", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/pull/21896"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25"}], "source": {"advisory": "GHSA-r33q-22hv-j29q", "discovery": "UNKNOWN"}, "title": "LES Server DoS via GetProofsV2", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26264", "STATE": "PUBLIC", "TITLE": "LES Server DoS via GetProofsV2"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "go-ethereum", "version": {"version_data": [{"version_value": "< 1.9.25"}]}}]}, "vendor_name": "ethereum"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q", "refsource": "CONFIRM", "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q"}, {"name": "https://github.com/ethereum/go-ethereum/pull/21896", "refsource": "MISC", "url": "https://github.com/ethereum/go-ethereum/pull/21896"}, {"name": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46", "refsource": "MISC", "url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"}, {"name": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25", "refsource": "MISC", "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25"}]}, "source": {"advisory": "GHSA-r33q-22hv-j29q", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26264", "datePublished": "2020-12-11T16:45:24", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2020-12-11T16:45:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AC7FBD4-34A5-414C-BBBA-2512124CFBF0", "versionEndExcluding": "1.9.25", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Go Ethereum, or \"Geth\", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. The vulnerability was patched in version 1.9.25."}, {"lang": "es", "value": "Go Ethereum, o \"Geth\", es la implementaci\u00f3n oficial de Golang del protocolo Ethereum. En Geth versiones anteriores a 1.9.25, una vulnerabilidad de Denegaci\u00f3n de Servicio puede hacer a un servidor LES bloquearse por medio de una petici\u00f3n GetProofsV2 maliciosa de un cliente LES conectado. Esta vulnerabilidad solo afecta a usuarios que habilitan expl\u00edcitamente el servidor de archivos; deshabilitar archivos evita la explotaci\u00f3n. La vulnerabilidad fue parcheada en versi\u00f3n 1.9.25"}], "id": "CVE-2020-26264", "lastModified": "2020-12-14T18:06:07.520", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-12-11T17:15:12.793", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ethereum/go-ethereum/commit/bddd103a9f0af27ef533f04e06ea429cf76b6d46"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ethereum/go-ethereum/pull/21896"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.9.25"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-r33q-22hv-j29q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}