Talos is disclosing the presence of multiple vulnerabilities in the CPP and the Parity Ethereum clients.
TALOS-2017-0503 / CVE-2017-14457 describes a denial of service vulnerability and potential memory leak in libevm. The function is not currently enabled in the default build. This vulnerability only affects nodes which have manually enabled it during build time.
TALOS-2017-0508 / CVE-2017-14460 is an overly permissive cross-domain (CORS) whitelist policy vulnerability in the Ethereum Parity client. It can lead to the leak of sensitive data about existing accounts, parity settings and network configurations, in addition to accounts and parity settings modifications, if certain APIs have been turned on.
Further on, TALOS-2017-0464 – TALOS-2017-0471 / CVE-2017-12112 – CVE-2017-12119 describe multiple Authorization Bypass Vulnerabilities which an attacker could misuse to access functionality reserved only for users with administrative privileges without any credentials.
Finally, Talos found TALOS-2017-0471 / CVE-2017-12119, another denial of service vulnerabilities in the CPP-Ethereum JSON-RPC implementation. A specially crafted json request can cause an unhandled exception resulting in a denial of service.
VISIT THE SOURCE ARTICLE
Author: Talos Group
Used with the permission of http://thenetwork.cisco.com/. Cisco reserves all rights in and to any Cisco logos, trademarks or trade names contained in any RSS/JS feed, and your right to use these Cisco logos, trademarks or trade names is limited to providing attribution in connection with these RSS/JS feeds.