Global hacking research collective SRLabs claims that only two thirds of the Ethereum client software that runs on Ethereum nodes has been patched against a critical security flaw discovered earlier this year. The news was reported by business tech website ZDNet on May 17.
An SRLabs report ostensibly shared with ZDNet has reportedly revealed that the critical flaw is a denial of service (DoS) vulnerability in the Ethereum Parity client. As SRLabs has outlined, the flaw could enable a hacker to remotely crash legitimate Parity Ethereum nodes by sending malformed packets.
Should sufficient malicious nodes overwhelm the network and gain a 51% majority, they could potentially commit double-spends and validate unsound transactions, ZDNet notes.
While the issue was addressed with the release of the Parity Ethereum client v2.2.10 in mid-February — just a few days after the flaw was reported by SRLabs — SRLabs researcher Karsten Nohl told ZDNet that:
"According to our collected data, only two thirds of nodes have been patched so far."
One month after the issue was successfully patched in the new Parity release, SRLabs researchers reportedly scanned the Ethereum blockchain to check how many Parity nodes had updated their clients to the new version. The report notes:
"One month after this alert, we used data from Ethernodes.org to assess the security of the Ethereum node landscape and found that around 40% of all scanned Parity Ethereum nodes [...] remained unpatched and thus vulnerable to the mentioned attack."
The data reportedly indicates that unpatched Parity nodes comprise 15% of all scanned nodes — implying that 15% of all Ethereum nodes are vulnerable to a potential 51% attack.
The sluggish pace of patching in response to discovered vulnerabilities was purportedly further demonstrated in SRLabs’ broader analysis, which found that 7% of active Parity Ethereum nodes had not been patched for nine months, leaving them susceptible to other detected flaws.
A similar slow pace was discovered for a different Ethereum node client, Go-Ethereum (Geth), with 44% of Geth nodes reportedly not undergoing a critical security update (v1.8.21).
Nohl noted that Parity’s highly complex automated update process lacks reliability when nodes are not configured correctly, while the Geth client lacks an auto update system altogether.
The unpatched nodes ostensibly pose a risk to the entire network, as they could be crashed to reduce the costs of carrying out a blockchain-wide 51% attack, ZDNet notes.