Back to Vulnerability database

monerod can be disabled by a well-timed TCP reset packet

ID Submit date Publish date Author Score
1 10.26.2018 10.26.2018 ahook 6.2

Description

When a new connection is attempted, the handleaccept function is called. This does some error checking and finishes setting up the connection. Once the connection is set up, it calls acceptor.async_accept() in order to continue listening for new connections.

https://github.com/monero-project/monero/blob/8a7b3ff13858c5d879530c99de5c723c88429342/contrib/epee/include/net/abstract_tcp_server2.inl#L982

However, if the handle_accept function is called with an error code, it bypasses the main block of code and simply logs a message. It does not add the accept handler back to the acceptor. The result is that the daemon will stop accepting new connections if an error is hit.

It is possible for an attacker to remotely trigger such an error. If a TCP RST packet is sent immediately after a successful TCP handshake, the connection/socket will be torn down. If it happens fast enough (specifically in the window between the server receiving the ACK and the handle_accept function being called), this will cause an error.

Vector: BVSS:1.1/B:N/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H/CI:N/II:L/AI:M

Comments