Merge #1127: Add security advisory for remaining CVE-2024-52919 issue

glozow · glozow · commit 6957ec9324a2 · 2025-04-28T14:51:18.000-04:00
680a254 Add security advisory for remaining CVE-2024-52919 issue (Antoine Poinsot) Pull request description: ACKs for top commit: glozow: reACK 680a254 Tree-SHA512: 9f454e872f3e12e32d5fdaa70d74cc8a6e529edd40b69797488f4bdc944e0200ce7645ef23d151ae681711fc0c50a362e52841eb2535003cbed225cca4a51acf
diff --git a/_posts/en/posts/2025-03-31-disclose-cve-2024-52919.md b/_posts/en/posts/2025-03-31-disclose-cve-2024-52919.md
@@ -0,0 +1,56 @@
+---
+title: CVE-2024-52919 - Remote crash due to addr message spam (part 2)
+name: blog-disclose-cve-2024-52919
+id: blog-disclose-cve-2024-52919
+lang: en
+type: advisory
+layout: post
+
+## If this is a new post, reset this counter to 1.
+version: 1
+
+## Only true if release announcement or security annoucement. English posts only
+announcement: 1
+
+excerpt: >
+  An attacker could crash a node by spamming it with `addr` messages for a very long time. A fix was released on April 14th 2025 in Bitcoin Core v29.0.
+---
+
+Disclosure of the details of an integer overflow bug which causes a crash if a node is getting
+spammed `addr` messages continuously for a very long time (years). A fix was released on April 14th
+2025 in Bitcoin Core v29.0.
+
+This issue is considered **Low** severity.
+
+## Details
+
+The address manager in Bitcoin Core uses a 32-bit identifier for each entry, incremented on every
+insertion. An [earlier security
+advisory](https://bitcoincore.org/en/2024/07/31/disclose-addrman-int-overflow) explained how it
+enabled an attacker to remotely trigger an assertion failure by spamming a node with `addr` messages
+until the 32-bit identifier overflow.
+
+This was partially addressed in Bitcoin Core v22.0 by rate-limiting insertions in the address
+manager to 1 address per peer every 10 seconds. This made the attack a lot more expensive if not
+impractical: even with 1000 peers continuously attacking it would still take more than a year to get
+the 32-bit identifier to overflow.
+
+The remaining, more expensive attack vector was addressed in Bitcoin Core version 29.0 by making the
+identifier a 64-bit identifier.
+
+## Attribution
+
+Credit goes to Eugene Siegel for discovering and disclosing the vulnerability, and to Martin
+Zumsande for changing the identifier to 64-bit.
+
+## Timeline
+
+* 2021-06-21 - Initial report sent to security@bitcoincore.org by Eugene Siegel
+* 2021-07-19 - Rate limiting is merged in PR [#22387](https://github.com/bitcoin/bitcoin/pull/22387)
+* 2021-09-13 - v22.0 is released with rate-limiting
+* 2024-07-31 - Publication of the [first security advisory](https://bitcoincore.org/en/2024/07/31/disclose-addrman-int-overflow)
+* 2024-09-20 - Change to 64-bit identifer is merged in PR [#30568](https://github.com/bitcoin/bitcoin/pull/30568)
+* 2025-04-14 - Bitcoin Core v29.0 is released with the 64-bit identifier
+* 2025-04-28 - Public Disclosure
+
+{% include references.md %}
