Specializing in cyberthreats, a division of the technological conglomerate Cisco Systems Inc. has detected a number of vulnerabilities in the software of Ethereum-client Parity and Ethereum C ++ (CPP).
— Talos Group (@TalosSecurity) 9 января 2018 г.
As Cisco experts concluded, incorrect processing of smart contracts with the operational code create2 can trigger a DoS attack. An attacker can use the SHA1 function to handle a huge amount of data.
The implementation of create2 in the main network of Ethereum is planned within the second phase of the Metropolis' hardfork called Constantinople.
This vulnerability currently threatens only those nodes that already use the create2 opcode. However, in potential, the Ethereum network can run the risk of concurrently attacking all nodes immediately after the implementation of the hardware, when create2 will enter the default settings list.
In addition, according to Cisco, an attacker can obtain confidential information in the form of a smart contract address as a result of data leakage in the virtual machine Ethereum (EVM).
The Parity Ethereum client software is written in the Rust programming language and by default provides a JSON-RPC interface that supports a fairly "liberal" cross-domain query policy. When visiting malicious sites, an incorrect configuration of the daemon stream of the interface can lead to the leakage of confidential information. In addition, an attacker can access Parity settings and network configurations.
Security specialists also note that many APIs in CPP in JSON-RPC interface implementation are subject to the risk of malicious JSON-requests, which can help an attacker gain administrative rights to the limited functionality of such APIs bypassing the authorization process.
It is noteworthy that even the converter of IP-addresses in this case remains unprotected from CSRF- and SSRF-attacks.
Vulnerability in server implementation of JSON-RPC can also become a loophole for a potential DoS attack. Due to errors in the handling of some APIs, an attacker can send an incorrectly compiled JSON package and thereby block the normal operation of the node.