SRLabs claims that only two thirds of the Ethereum client software that runs on Ethereum nodes has been patched against a critical security flaw.
Global hacking research collective SRLabs claims that only two thirds of the Ethereum client software that runs on Ethereum nodes has been patched against a critical security flaw discovered earlier this year. The news was reported by business tech website ZDNet on May 17.
An SRLabs report ostensibly shared with ZDNet has reportedly revealed that the critical flaw is a denial of service (DoS) vulnerability in the Ethereum Parity client. As SRLabs has outlined, the flaw could enable a hacker to remotely crash legitimate Parity Ethereum nodes by sending malformed packets.
Should sufficient malicious nodes overwhelm the network and gain a 51% majority, they could potentially commit double-spends and validate unsound transactions, ZDNet notes.
While the issue was addressed with the release of the Parity Ethereum client v2.2.10 in mid-February — just a few days after the flaw was reported by SRLabs — SRLabs researcher Karsten Nohl told ZDNet that:
“According to our collected data, only two thirds of nodes have been patched so far.”
One month after the issue was successfully patched in the new Parity release, SRLabs researchers reportedly scanned the Ethereum blockchain to check how many Parity nodes had updated their clients to the new version. The report notes:
“One month after this alert, we used data from Ethernodes.org to assess the security of the Ethereum node landscape and found that around 40% of all scanned Parity Ethereum nodes […] remained unpatched and thus vulnerable to the mentioned attack.”
The data reportedly indicates that unpatched Parity nodes comprise 15% of all scanned nodes — implying that 15% of all Ethereum nodes are vulnerable to a potential 51% attack.
The sluggish pace of patching in response to discovered vulnerabilities was purportedly further demonstrated in SRLabs’ broader analysis, which found that 7% of active Parity Ethereum nodes had not been patched for nine months, leaving them susceptible to other detected flaws.
A similar slow pace was discovered for a different Ethereum node client, Go-Ethereum (Geth), with 44% of Geth nodes reportedly not undergoing a critical security update (v1.8.21).
Nohl noted that Parity’s highly complex automated update process lacks reliability when nodes are not configured correctly, while the Geth client lacks an auto update system altogether.
The unpatched nodes ostensibly pose a risk to the entire network, as they could be crashed to reduce the costs of carrying out a blockchain-wide 51% attack, ZDNet notes.
Source: , CoinTelegraph
Articles listed with Cash Tech News as the author are either general information, or may have been imported from another website, to bring our readers a rich media experience that encompasses articles that we find interesting, as well as those curated by others.
The views and opinions expressed here are for informational purposes only, and should not be confused with professional financial advice. These opinions are solely those of the author and do not necessarily reflect the views of CashTechNews.com. Every investment and trade involves risk. You should conduct your own research, and contact your professional financial advisor before making any investment.
Corrections, feedback, and ideas should be submitted through the website contact form.