CVE-2022-37450 - OpenCVE

Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Ethereum	Go Ethereum

Configuration 1 [-]

cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*

References

Link	Resource
http://dx.doi.org/10.13140/RG.2.2.27813.99043	Broken Link
https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94	Exploit Third Party Advisory
https://medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef
https://news.ycombinator.com/item?id=32354896	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-08-05T20:30:46

Updated: 2022-08-05T20:30:46

Reserved: 2022-08-05T00:00:00

Link: CVE-2022-37450

JSON object: View

NVD Information

Status : Modified

Published: 2022-08-05T21:15:09.087

Modified: 2023-11-07T03:49:51.753

Link: CVE-2022-37450

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-05T20:30:46", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94"}, {"tags": ["x_refsource_MISC"], "url": "https://medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef"}, {"tags": ["x_refsource_MISC"], "url": "http://dx.doi.org/10.13140/RG.2.2.27813.99043"}, {"tags": ["x_refsource_MISC"], "url": "https://news.ycombinator.com/item?id=32354896"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-37450", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94", "refsource": "MISC", "url": "https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94"}, {"name": "https://medium.com/@aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef", "refsource": "MISC", "url": "https://medium.com/@aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef"}, {"name": "http://dx.doi.org/10.13140/RG.2.2.27813.99043", "refsource": "MISC", "url": "http://dx.doi.org/10.13140/RG.2.2.27813.99043"}, {"name": "https://news.ycombinator.com/item?id=32354896", "refsource": "MISC", "url": "https://news.ycombinator.com/item?id=32354896"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-37450", "datePublished": "2022-08-05T20:30:46", "dateReserved": "2022-08-05T00:00:00", "dateUpdated": "2022-08-05T20:30:46", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ethereum:go_ethereum:*:*:*:*:*:*:*:*", "matchCriteriaId": "EA2DEA63-8338-4869-83DA-D5ED75A6D76B", "versionEndIncluding": "1.10.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022."}, {"lang": "es", "value": "Go Ethereum (tambi\u00e9n se conoce como geth) versiones hasta 1.10.21, permite a atacantes aumentar las recompensas mediante la miner\u00eda de bloques en determinadas situaciones, y el uso de una manipulaci\u00f3n de los valores de diferencia de tiempo para lograr el reemplazo de los bloques de la cadena principal, tambi\u00e9n se conoce como Riskless Uncle Making (RUM), como es explotado \"in the wild\" en 2020 hasta 2022"}], "id": "CVE-2022-37450", "lastModified": "2023-11-07T03:49:51.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-05T21:15:09.087", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://dx.doi.org/10.13140/RG.2.2.27813.99043"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94"}, {"source": "cve@mitre.org", "url": "https://medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fef"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=32354896"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}