Disclosure of memory DoS using low-difficulty headers (≤ version 0.14.3)

Bitcoin Core writes:
Disclosure of memory DoS using low-difficulty headers (≤ version 0.14.3)

After Bitcoin Core 0.12.0 and before Bitcoin Core 0.15.0 a node could be spammed with minimum
difficulty headers, which could possibly be leveraged to crash it by OOM.

This issue is considered Medium severity.

Details

Before the introduction of headers
pre-synchronisation
, nodes relied exclusively on
checkpoints to avoid getting spammed by low-difficulty headers.

In Bitcoin Core 0.12.0 a check for headers forking before the last checkpoint’s height was moved to
after storing the header in mapBlockIndex. This allowed an attacker to grow the map unboundedly by
spamming headers whose parent is the genesis block (which only need difficulty 1 to create), as such
blocks bypassed the checkpoint logic.

Attribution

Credits to Cory Fields for finding and responsibly disclosing the bug.

Timeline

  • 2017-08-08 Cory Fields privately reports the bug
  • 2017-08-11 Pieter Wuille opens PR #11028 to fix it
  • 2017-08-14 PR #11028 is merged
  • 2017-09-14 Bitcoin Core version 0.15.0 is released with a fix
  • 2018-10-03 The last vulnerable version of Bitcoin Core (0.14.3) goes end of life
  • 2024-07-03 Public disclosure.