Maria Irene
Rab13s Vulnerabilities Expose Over $25 Billion in Digital Assets: Halborn Discovers Critical Flaws in 280+ Blockchain Networks
In March 2022, the cybersecurity firm Halborn made a startling discovery while assessing the security of Dogecoin’s open-source codebase. Halborn identified several critical vulnerabilities affecting not only Dogecoin but also over 280 other blockchain networks, including Litecoin and Zcash. These vulnerabilities, collectively referred to as Rab13s, have put more than $25 billion worth of digital assets at risk.
The Rab13s vulnerabilities were found in the peer-to-peer (p2p) communication and remote procedure call (RPC) mechanisms of the affected networks. These vulnerabilities increase the likelihood of denial-of-service attacks, remote code execution, and other severe security risks. As a result, stakeholders in the blockchain and cryptocurrency communities are now scrambling to address these concerns and secure their networks.
Hossam Mohamed, Senior Offensive Security Engineer at Halborn, led the research team that discovered the Rab13s vulnerabilities. The team found multiple vulnerabilities in the open-source code for blockchain networks like Dogecoin, Litecoin, and many others with similar codebases. The most critical vulnerability discovered is related to the p2p communications. Attackers can craft consensus messages and send them to individual nodes, taking them offline.
An attacker can crawl the network peers using getaddr messages and attack the unpatched nodes. While some of the other issues were known CVEs (Common Vulnerabilities and Exposures) from Bitcoin, another zero-day identified by Halborn was uniquely related to Dogecoin, including an RPC Remote code execution vulnerability impacting individual miners.
Subsequently, variants of these zero-days were also discovered in similar blockchain networks, including Litecoin and Zcash. Due to codebase differences between the networks, not all the vulnerabilities are exploitable on all the networks. However, at least one of them may be exploitable on each network. On vulnerable networks, a successful exploitation of the relevant vulnerability could lead to denial of service or remote code execution.
Halborn has made a good faith effort to contact the affected networks for responsible disclosure. However, all affected networks are encouraged to contact Halborn at disclosures@halborn.com. The company has shared all necessary technical information with the identified stakeholders to help them remediate the bugs and release the necessary patches for the community and miners.
The risks and consequences of the Rab13s vulnerabilities are far-reaching. They lie within the p2p messaging mechanisms in the affected networks, which, due to their simplicity, increase the likelihood of an attack. With this vulnerability, an attacker can send crafted malicious consensus messages to individual nodes, causing each to shut down and eventually expose the network to risks like 51% attacks and other severe issues.
The second vulnerability in the RPC services allows an attacker to crash the node via RPC requests. However, successful exploitation requires valid credentials, which reduces the likelihood of the entire network being at risk, as some nodes implement the stop command.
The third vulnerability allows attackers to execute code in the context of the user running the node through the public interface (RPC). However, the likelihood of this exploit is lower, as it requires a valid credential to carry out the attack.
In response to these discoveries, Halborn has successfully developed an exploit kit for Rab13s that includes a proof of concept with configurable parameters to demonstrate the attacks on different networks. Halborn did not share the exploit kit code with any party.
For projects using a UTXO-based node (e.g., Dogecoin), Halborn recommends upgrading all nodes to the latest version (1.14.6). Halborn is not releasing further technical or exploit detail at this
