smooth



Offline



Activity: 2534

Merit: 1167









LegendaryActivity: 2534Merit: 1167 Re: [ANN] AEON 2nd gen cryptonote, anon, mobile-friendly, scalable, pruning September 19, 2016, 08:36:27 PM

Last edit: September 19, 2016, 09:29:17 PM by smooth #3054 Security advisory regarding RPC wallets



MWR Labs reported a vulnerability to Monero (see link below). It applies to all Cryptonote-based which use simplewallet, when simplewallet is used in RPC mode. RPC mode is not the default and would have to be enabled by the command line.



The primary situation in which this would occur is running a GUI wallet wrapper which accesses simplewallet via the rpc service (several are listed in the advisory, though most are obsolete). It could also occur if simplewallet running in rpc mode were used to support a service (such as exchange back end) and the system on which the wallet is hosted is also used with a browser (it would not be a good idea to do this in any case).



The vulnerability occurs when a user:



1. Is using simplewallet in rpc mode

2. Is using a web browser on the same system as simplewallet

3. Browses to a malicious site



Monero implemented a fix for this but the fix is complex and back porting it to AEON's older code base, along with the necessary testing and careful evaluation to avoid introducing any new vulnerabilities does not make sense given that we are moving away from that codebase and simple workarounds exist. I have instead decide to issue this advisory. I may also release a simpler, partial fix that reduces the vulnerability, but caution will still be needed.



In the case of AEON, I have not determined whether the community-supported GUI wallet listed in the OP uses the rpc mode and is vulnerable, though that is most likely the case. As such I recommend not to use the community supported GUI and noted this in the OP. I'm not aware of any other wrapper wallets for AEON but if any exist the same advice would apply.



In addition, if you are using simplewallet in RPC mode for any reason, you should avoid doing so on the same system as a web browser. If you are using simplewallet in the default mode without enabling RPC, you are not affected



https://labs.mwrinfosecurity.com/advisories/csrf-vulnerability-allows-for-remote-compromise-of-monero-wallets/ MWR Labs reported a vulnerability to Monero (see link below). It applies to all Cryptonote-based which use simplewallet, when simplewallet is used in RPC mode. RPC mode is not the default and would have to be enabled by the command line.The primary situation in which this would occur is running a GUI wallet wrapper which accesses simplewallet via the rpc service (several are listed in the advisory, though most are obsolete). It could also occur if simplewallet running in rpc mode were used to support a service (such as exchange back end) and the system on which the wallet is hosted is also used with a browser (it would not be a good idea to do this in any case).The vulnerability occurs when a user:1. Is using simplewallet in rpc mode2. Is using a web browser on the same system as simplewallet3. Browses to a malicious siteMonero implemented a fix for this but the fix is complex and back porting it to AEON's older code base, along with the necessary testing and careful evaluation to avoid introducing any new vulnerabilities does not make sense given that we are moving away from that codebase and simple workarounds exist. I have instead decide to issue this advisory. I may also release a simpler, partial fix that reduces the vulnerability, but caution will still be needed.In the case of AEON, I have not determined whether the community-supported GUI wallet listed in the OP uses the rpc mode and is vulnerable, though that is most likely the case.and noted this in the OP. I'm not aware of any other wrapper wallets for AEON but if any exist the same advice would apply.