Bitcoin Core Client UPnP Library Vulnerability and Solution

Summarize

1. Note for users of older versions of the Bitcoin Core client: you will need to disable the " Map port using UPNP " checkbox under "Options" -> "Network" in the UI (see image above)

2. And add upnp=0 in your bitcoin.conf file

3. Add -upnp=0 to the command line options

Please upgrade to at least Bitcoin Core 0.10.3 or 0.11.1 when they are released (release cycle is ongoing). These versions will upgrade the library to a non-bug version and also disable UPnP to prevent this issue from happening in the future.

More Information

MiniUPnP library versions prior to 1.9.20151008 are vulnerable to a buffer overflow in the XML parser. If UPnP is enabled, they are vulnerable.

Details of the vulnerability can be found here: http://talosintel.com/reports/TALOS-2015-0035/

The vulnerability has been confirmed to target startups that run a malicious UPnP service on the local network, causing their applications to crash.

This only applies to distributed executables (clients), for self-built executables UPnP is disabled by default.

Bitcoin Core versions 0.10.3 through 0.11.1, and the upcoming 0.12.0, will ship with the new version of the library, but will no longer enable the feature by default.

No need to be nervous

The Bitcoin Core executable has Address Space Layout Randomization (ASLR), Stack Overflow Protection (SSP), and De-Execution Stack and Heap (DEP) enabled. In other words, it is difficult to perform remote code operations or leak private keys through this vulnerability. However, it is recommended that users still need to upgrade and it is best to disable UPnP as soon as possible.

Manual Port Forwarding

With UPnP turned off, your node will still connect to the other 8 peers on the Bitcoin network, receiving new blocks and transactions. However, it will not accept incoming connections from other peers unless you manually enable port forwarding on your router. If you wish to do this (it is not necessary), follow this tutorial.

－－－－