The Impact of an Infinite Loop Bug in Miniupnp’s Dependency on Bitcoin Core
The disclosure of an infinite loop bug in miniupnp’s dependency on Bitcoin Core led to the release of a fix in Bitcoin Core version v22.0 on September 14, 2021. This issue is currently classified as low severity.
Exploring the Details of the Bug
Miniupnp, the UPnP library utilized by Bitcoin Core, triggers a discovery process whenever it receives random data from a device on the network. In addition, it allocates memory for each new device information. An attacker within the local network can exploit this by masquerading as a UPnP device and flooding Bitcoin Core nodes with inflated M-SEARCH replies until memory resources are depleted.
It’s important to note that only users who run with the -miniupnp
option enabled are susceptible to this bug, as Miniupnp is disabled by default.
Acknowledging the Contributors
Ronald Huveneers first reported the infinite loop bug to the miniupnp project, while Michael Ford (Fanquake) escalated the issue to the Bitcoin Core project. Ford not only provided a proof of concept vulnerability to trigger out-of-memory conditions but also submitted a pull request to enhance dependencies with necessary fixes.
Revisiting the Timeline of Events
- September 17, 2020 – Ronald Huveneers reports the infinite loop bug to miniupnp
- October 13, 2020 – Michael Ford sends a preliminary report to security@bitcoincore.org
- March 23, 2021 – Fixes are merged
- September 13, 2021 – Release of Bitcoin Core version v22.0
- July 31, 2024 – Public disclosure of the bug