CVE-2022-37450
published 2022-08-05CVE-2022-37450: Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference…
PriorityP278medium5.9CVSS 3.1
AVNACHPRNUINSUCNIHAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.97%
57.5th percentile
Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ethereum | go_ethereum | <= 1.10.21 | — |
| github.com | ethereum_go-ethereum | 0 – 1.10.21 | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Go Ethereum allows attackers to use manipulation of time-difference values to achieve replacement of main-chain blocks
osv·2022-08-06
CVE-2022-37450 [MEDIUM] Go Ethereum allows attackers to use manipulation of time-difference values to achieve replacement of main-chain blocks
Go Ethereum allows attackers to use manipulation of time-difference values to achieve replacement of main-chain blocks
Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.
GHSA
Go Ethereum allows attackers to use manipulation of time-difference values to achieve replacement of main-chain blocks
ghsa·2022-08-06
CVE-2022-37450 [MEDIUM] Go Ethereum allows attackers to use manipulation of time-difference values to achieve replacement of main-chain blocks
Go Ethereum allows attackers to use manipulation of time-difference values to achieve replacement of main-chain blocks
Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.
VulnCheck
Go Ethereum (Geth) Time-Difference Value Manipulation Vulnerability
vulncheck·2022·CVSS 7.5
CVE-2022-37450 [HIGH] Go Ethereum (Geth) Time-Difference Value Manipulation Vulnerability
Go Ethereum (Geth) Time-Difference Value Manipulation Vulnerability
Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.
Affected: ethereum go_ethereum
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2021-3006; https://www.cve.org/CVERecord?id=CVE-2022-37450
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://dx.doi.org/10.13140/RG.2.2.27813.99043https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94https://medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fefhttps://news.ycombinator.com/item?id=32354896http://dx.doi.org/10.13140/RG.2.2.27813.99043https://github.com/ethereum/go-ethereum/blob/671094279e8d27f4b4c3c94bf8b636c26b473976/core/forkchoice.go#L91-L94https://medium.com/%40aviv.yaish/uncle-maker-time-stamping-out-the-competition-in-ethereum-d27c1cb62fefhttps://news.ycombinator.com/item?id=32354896
2022-08-05
Published
Exploited in the wild