CVE-2018-12018 : Security Advisory and Response

In versions of Go Ethereum (geth) prior to 1.8.11, a vulnerability known as EPoD (Ethereum Packet of Death) exists in the LES protocol implementation's GetBlockHeadersMsg handler, allowing attackers to launch a Denial of Service attack.

Understanding CVE-2018-12018

This CVE involves a flaw in the LES protocol implementation of Go Ethereum (geth) that can lead to a remote node crash.

What is CVE-2018-12018?

The vulnerability in the GetBlockHeadersMsg handler of the LES protocol in Go Ethereum (geth) before version 1.8.11 allows attackers to trigger a Denial of Service attack by exploiting an integer signedness error.

The Impact of CVE-2018-12018

Attackers can crash a targeted remote node by sending a packet with a -1 query.Skip value
Known as the EPoD (Ethereum Packet of Death) vulnerability

Technical Details of CVE-2018-12018

This section provides more technical insights into the vulnerability.

Vulnerability Description

Involves an integer signedness error in the array index processing
Allows attackers to crash remote nodes by sending a specific packet

Affected Systems and Versions

Versions of Go Ethereum (geth) before 1.8.11

Exploitation Mechanism

Attackers exploit an integer signedness error to send a malicious packet
By sending a packet with a -1 query.Skip value, attackers can crash the targeted remote node

Mitigation and Prevention

Protecting systems from CVE-2018-12018 requires immediate actions and long-term security practices.

Immediate Steps to Take

Update Go Ethereum (geth) to version 1.8.11 or newer
Monitor network traffic for suspicious activity

Long-Term Security Practices

Regularly update software and apply security patches
Implement network segmentation to limit the impact of potential attacks

Patching and Updates

Update to Go Ethereum (geth) version 1.8.11 or above to mitigate the vulnerability