Bitcoin Core :: Disclosure of CVE-2020-14198

Bitcoin Core maintained an unlimited list of banned IP addresses and performed a quadratic operation
on it. This could lead to an OOM crash and a CPU Dos.

This issue is considered High severity.

Details

Bitcoin Core maintained a list of banned IP addresses. This list was not bounded and could be
manipulated by an adversary. Adding new entries to this list was particularly cheap for an attacker
when considering IPV6. In addition, when receiving a GETADDR message, Bitcoin Core would scan the
entire ban list for every single address to be returned (up to 2500).

Attribution

Calin Culianu first responsibly disclosed it. Calin later publicly disclosed the bug in a PR
comment.

On the same day Jason Cox from Bitcoin ABC emailed the Bitcoin Core project to share this same
report they also received.

Timeline

2020-06-08 Calin Culianu privately reports the bug to the Bitcoin Core project
2020-06-08 Jason Cox privately shares the (same) report sent to Bitcoin ABC with Bitcoin Core
2020-06-08 Calin Culianu publicly discloses the vulnerability on the original PR which introduced the quadratic behaviour
2020-06-09 Pieter Wuille opens PR #19219 which fixes both the unbounded memory usage and the quadratic behaviour
2020-06-16 Luke Dashjr gets assigned CVE-2020-14198 for this vulnerability after his request
2020-07-07 Pieter’s PR is merged
2020-08-01 Bitcoin Core 0.20.1 is released with the fix
2021-01-14 Bitcoin Core 0.21.0 is released with the fix
2022-04-25 The last vulnerable Bitcoin Core version (0.20.0) goes EOL
2024-07-03 (Official) Public Disclosure