CVE-2018-17144
published 2018-09-19CVE-2018-17144: Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITW
Exploited in the wild
EPSS
6.75%
93.2th percentile
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bitcoin | bitcoin_core | >= 0.14.0 < 0.14.3 | 0.14.3 |
| bitcoin | bitcoin_core | >= 0.15.0 < 0.15.2 | 0.15.2 |
| bitcoin | bitcoin_core | >= 0.16.0 < 0.16.3 | 0.16.3 |
| bitcoinknots | bitcoin_knots | >= 0.14.0 < 0.16.3 | 0.16.3 |
| debian | litecoin | < litecoin 0.16.3-1 (bookworm) | litecoin 0.16.3-1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is exploitable by miners crafting a transaction that double spends (duplicate input), causing a DoS crash of any node that receives a mined block containing such a transaction. ↗
- →The vulnerability is classified as a reachable assertion weakness (CWE-617); monitor for unexpected assertion failures or crashes in bitcoind/Bitcoin-Qt processes triggered by block processing. ↗
- →An attacker can make bitcoind or Bitcoin-Qt crash; monitor for abnormal process termination of these processes as an indicator of exploitation. ↗
- →Identify Bitcoin/altcoin nodes running versions prior to the fixed releases (Bitcoin Core 0.14.3, 0.15.2, 0.16.3) as vulnerable targets; patch adoption was only 31.65% of all nodes after a full year from disclosure. ↗
- ·The vulnerability is exploitable only by miners (block producers), as the malicious duplicate-input transaction must be included in a mined block to crash receiving nodes. ↗
- ·The vulnerability was present since 2017 but patched only in 2019 across the broader ecosystem; many Bitcoin clone projects may still be unpatched. ↗
- ·CVE-2018-17144 has been extended to cover 384 additional cryptocurrency projects; detection scope should include Bitcoin clones, not just Bitcoin Core and Bitcoin Knots. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-35hw-99vw-mgp5: Bitcoin Core 0
ghsa_unreviewed·2022-05-13
CVE-2018-17144 [HIGH] GHSA-35hw-99vw-mgp5: Bitcoin Core 0
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
OSV
CVE-2018-17144: Bitcoin Core 0
osv·2018-09-19·CVSS 7.5
CVE-2018-17144 [HIGH] CVE-2018-17144: Bitcoin Core 0
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
Debian
CVE-2018-17144: litecoin - Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16....
vendor_debian·2018·CVSS 7.5
CVE-2018-17144 [HIGH] CVE-2018-17144: litecoin - Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16....
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
Scope: local
bookworm: resolved (fixed in 0.16.3-1)
bullseye: resolved (fixed in 0.16.3-1)
sid: resolved (fixed in 0.16.3-1)
trixie: resolved (fixed in 0.16.3-1)
No detection rules found.
No public exploits indexed.
arXiv
Attack of the Clones: Measuring the Maintainability, Originality and Security of Bitcoin 'Forks' in the Wild
arxiv_fulltext·2022-01-21
Attack of the Clones: Measuring the Maintainability, Originality and Security of Bitcoin 'Forks' in the Wild
Attack of the Clones: Measuring the Maintainability, Originality and Security of Bitcoin `Forks' in the Wild
Attack of the Clones
Jusop Choi1 Wonseok Choi1 William Aiken1 Hyoungshick Kim1 Jun Ho Huh2 Taesoo Kim3 Yongdae Kim4 Ross Anderson5
Jusop Choi et al.
Sungkyunkwan University, Republic of Korea Samsung Research, Republic of Korea Georgia Institute of Technology, USA Korea Advanced Institute of Science and Technology, Republic of Korea Cambridge University, UK
## Abstract
Since Bitcoin appeared in 2009, over 6,000 different cryptocurrency projects have followed. The cryptocurrency world may be the only technology where a massive number of competitors offer similar services yet claim unique benefits, including scalability, fast transactions, and security. But are these projects real
arXiv
CoinWatch: A Clone-Based Approach For Detecting Vulnerabilities in Cryptocurrencies
arxiv_fulltext·2020-10-28
CoinWatch: A Clone-Based Approach For Detecting Vulnerabilities in Cryptocurrencies
CoinWatch: A Clone-Based Approach For Detecting Vulnerabilities in Cryptocurrencies
2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Qingze Hum,2 Wei Jin Tan, Shi Ying Tey, Latasha Lenus
Singapore University of Technology and Design,
[email protected]
2cm
Ivan Homoliak
FIT, Brno University of Technology,
[email protected]
2.cm
Yun Lin
National University of Singapore,
[email protected]
2cm
Jun Sun
Singapore Management University,
sunjunhqq
arXiv
All roads lead to Rome: Many ways to double spend your cryptocurrency
arxiv_fulltext·2018-11-16
All roads lead to Rome: Many ways to double spend your cryptocurrency
All roads lead to Rome:
Many ways to double spend your cryptocurrency
Zhiniang Peng
Yuki Chen
Qihoo 360
Email : [email protected]
## Abstract
In 2008, Satoshi Nakamoto proposed an electronic cash system (bitcoin) that is completely realized by peer-to-peer technology. The core value of this scheme is that it proposes a solution based on Proof-of-Work, so that the cash system can run in a peer-to-peer environment and be able to prevent double-spend attacks. Bitcoin has been developed for ten years, and since then countless digital currencies have been created. But the discussion of double-spend attacks seems to still concentrate on 51% Attacks. In fact, our research has found that there are many other way to achieve double-spend attacks. In this paper, by introducing a number of dou
https://bitcoincore.org/en/2018/09/18/release-0.16.3/https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-17144https://github.com/JinBean/CVE-Extensionhttps://github.com/bitcoin/bitcoin/blob/v0.16.3/doc/release-notes.mdhttps://github.com/bitcoinknots/bitcoin/blob/v0.16.3.knots20180918/doc/release-notes.mdhttps://bitcoincore.org/en/2018/09/18/release-0.16.3/https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-17144https://github.com/JinBean/CVE-Extensionhttps://github.com/bitcoin/bitcoin/blob/v0.16.3/doc/release-notes.mdhttps://github.com/bitcoinknots/bitcoin/blob/v0.16.3.knots20180918/doc/release-notes.md
2018-09-19
Published
Exploited in the wild