Re: Monero 18.3.4 zero-day DoS vulnerability has been dropped publicly on social network.

[sjw () gmx ch]

Hi,

A patch [1] has just been merged upstream. The associated PR was already 
public for weeks and mentions a mitigation script [2] that was known for 
years already. Are they are related to the same DoS vulnerability that 
is now exploited in the wild?


[1] 
https://github.com/monero-project/monero/commit/ec74ff4a3d3ca38b7912af680209a45fd1701c3d
[2] https://github.com/Gingeropolous/p2r2n_defender



> Hello,
>
> About an hour ago, a group appearing to be named WyRCV2 posted a note on the nostr social network, which can be found 
> at the following link: https://primal.net/e/note1vzh0mj9rcxax9cgcdapupyxeehjprd68gd9kk9wrv939m8knulrs4780x7
>
> > Monero Zero-day vulnerability and exploit
> >
> > Take down the XMR network with us, make the future a better a place.
> Save, share, use.
> > https:[//]anonpaste.org/?cccb7639afbd0650#HaMQAfzFdCqMDh9MwNuGRGUBXLgtk5yHWdAzS7MbvEVN
>
> The paste link includes a list of nodes that the attacker has instructed to target, along with a Python code to 
> leverage the attack. According to their explanation, this vulnerability is expected to be patched in the next release 
> of Monero. Any Monero node that exposes its RPC port is vulnerable to memory exhaustion.
>
> I can confirm that the Python code works and using it against a test node leads to a crash due to memory exhaustion. 
> The code is extremely simple, as it spams requests without attempting to read responses, causing Monero to keep them 
> indefinitely in memory until a crash occurs.
>
> The attackers claim to have taken down 8 public nodes and 1 seed node, which is used as a rendezvous point for new 
> nodes to connect to the network.

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature