CVE-2018-12018 — Improper Validation of Array Index in Ethereum Go-ethereum

CWE-129 — Improper Validation of Array Index5 documents4 sources

Severity

7.5HIGHNVD

EPSS

12.2%

top 6.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Ethereum Go-ethereum Ethereum GO Ethereum

Timeline

PublishedJul 5

Latest updateMay 14

Description

The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remote node would be crashed by such an attack immediately, aka the EPoD (Ethereum Packet of Death) issue.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDethereum/go_ethereum< 1.8.11

▶Gogithub.com/ethereum_go-ethereum< 1.8.11

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Go Ethereum LES protocol implementation vulnerable to Denial of Service↗2022-05-14

▶

OSV

Go Ethereum LES protocol implementation vulnerable to Denial of Service↗2022-05-14

▶

OSV

Panic due to improper validation of RPC messages in github.com/ethereum/go-ethereum↗2021-04-14

▶

CVEList

CVE-2018-12018: The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1↗2018-07-05

▶