PT-2020-16387 · Ethereum · Geth

Fjl

Published

2020-12-11

Updated

2021-06-29

CVE-2020-26264

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Geth versions prior to 1.9.25

Description A denial-of-service issue can cause a LES server crash via a malicious GetProofsV2 request from a connected LES client. This issue only affects users who have explicitly enabled the LES server. Disabling the LES server prevents the exploit.

Recommendations For versions prior to 1.9.25, update to version 1.9.25 or later to resolve the issue. As a temporary workaround, consider disabling the LES server to prevent the exploit. Manually applying the patch from https://github.com/ethereum/go-ethereum/pull/21896 can also fix the vulnerability.

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2020-26264

GHSA-R33Q-22HV-J29Q

GO-2021-0063

Affected Products

Geth

PT-2020-16387 · Ethereum · Geth

CVE-2020-26264

Weakness Enumeration

Related Identifiers

Affected Products

References · 18