Bug #15151

Upgrade Electrum to version 3.0.4. Older versions have JSONRPC vulnerability to steal cryptocurrencies

Added by dareaper 2018-01-07 08:10:45 . Updated 2018-01-14 22:33:19 .

Status:
Duplicate
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2018-01-07
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
Affected tool:
Electrum
Deliverable for:

Description

Upgrade Electrum in Tails OS to version 3.0.4 as versions below it have a critical vunlerability pertaining to JSONRPC and the ability to steal user’s funds.

More info: https://github.com/spesmilo/electrum/issues/3374

Official readme with fix for Electrum 3.0.4:

https://github.com/spesmilo/electrum/blob/3.0.4/RELEASE-NOTES

“Fix a vulnerability caused by Cross-Origin Resource Sharing (CORS)
in the JSONRPC interface. Previous versions of Electrum are
vulnerable to port scanning and deanonimization attacks from
malicious websites. Wallets that are not password-protected are
vulnerable to theft.”


Subtasks


Related issues

Is duplicate of Tails - Feature #15022: Electrum package update to version 3.0.6 Resolved 2017-12-07

History

#1 Updated by intrigeri 2018-01-07 10:31:48

  • Assignee set to dareaper
  • QA Check set to Info Needed
  • Type of work changed from Discuss to Research

Electrum listens to a (apparently random) high TCP port in Tails 3.3. I’ve tried to connect to this port from the Unsafe Browser and I see in the logs that our firewall blocked it. Same with curl on the command line from both the amnesia and root users. Then I’ve tried to connect to this port from Tor Browser and the connection failed (no firewall log, I think that Tor Browser blocked the attempt itself).

Could you please clarify why you think Tails is affected by the security issue?

#2 Updated by dareaper 2018-01-07 11:29:56

intrigeri wrote:
> Electrum listens to a (apparently random) high TCP port in Tails 3.3. I’ve tried to connect to this port from the Unsafe Browser and I see in the logs that our firewall blocked it. Same with curl on the command line from both the amnesia and root users. Then I’ve tried to connect to this port from Tor Browser and the connection failed (no firewall log, I think that Tor Browser blocked the attempt itself).
>
> Could you please clarify why you think Tails is affected by the security issue?

I’m sorry If was unclear in the bug description. Kind of new to this.

Basically the Electrum vulnerability doesn’t affect TAILS, but it affects the user’s Electrum wallet funds if the user uses an older version of electrum (below 3.0.4) and browses a webpage that has some form of malicious javascript that scans for open JSON-RPC interface ports. If it finds one (considering older version of electrum didn’t have this encrypted / password protected) then it’ll attempt to steal the users funds if and only if the users wallet isn’t set with a password.

Electrum 3.0.4 disables CORS which will prevent such port scans and lookups until another newer version of electrum would be released with a password protection enabled for it.

Hence, this bug isn’t about TAILS, but affects users who use older versions of Electrum on TAILS with the risk of them losing funds. I request you to kindly update the electrum on TAILS to version 3.0.4

#3 Updated by intrigeri 2018-01-07 11:40:12

> if the user uses an older version of electrum (below 3.0.4) and browses a webpage that has some form of malicious javascript that scans for open JSON-RPC interface ports. If it finds one (considering older version of electrum didn’t have this encrypted / password protected) then it’ll attempt to steal the users funds if and only if the users wallet isn’t set with a password.

This is precisely what I’ve tried to verify and failed: it appears that our firewall and browsers configuration blocks connections to that JSON-RPC interface. Hence my request for more information from you. So let me rephrase: how exactly would an attacker exploit this in Tails?

#4 Updated by dareaper 2018-01-07 14:10:10

intrigeri wrote:
> > if the user uses an older version of electrum (below 3.0.4) and browses a webpage that has some form of malicious javascript that scans for open JSON-RPC interface ports. If it finds one (considering older version of electrum didn’t have this encrypted / password protected) then it’ll attempt to steal the users funds if and only if the users wallet isn’t set with a password.
>
> This is precisely what I’ve tried to verify and failed: it appears that our firewall and browsers configuration blocks connections to that JSON-RPC interface. Hence my request for more information from you. So let me rephrase: how exactly would an attacker exploit this in Tails?

A couple of things. I’m not sure on how the attacker would exploit this in TAILS and I don’t know how to code the Javascript exploit to be able to perform this and write down the reproduction steps. Also, if TAILS does block JSON-RPC connections via the firewall that’s good, but I’ve been also told otherwise (https://bitcointalk.org/index.php?topic=2701891.msg27639317#msg27639317). Anyways, Electrum 3+ contains support for Segwit addresses for Bitcoin which helps reduce transaction fees if many users start using it. Hence, I still request TAILS to include version 3.0.4 for the users to benefit from the added features. The current version is pretty old to be honest.

#5 Updated by intrigeri 2018-01-07 14:19:19

  • Assignee changed from dareaper to s7r

> Also, if TAILS does block JSON-RPC connections via the firewall that’s good, but I’ve been also told otherwise (https://bitcointalk.org/index.php?topic=2701891.msg27639317#msg27639317).

I see nothing in there that seems relevant to what I wrote: our firewall blocks internal connections on the loopback interface to that port.
s7r, what do you think?

> Anyways, Electrum 3+ contains support for Segwit addresses for Bitcoin which helps reduce transaction fees if many users start using it. Hence, I still request TAILS to include version 3.0.4 for the users to benefit from the added features. The current version is pretty old to be honest.

There are already plenty of duplicates of this specific request on this bug tracker. That’s WIP, see https://mailman.boum.org/pipermail/tails-dev/2017-December/011949.html and Feature #15022.

#6 Updated by s7r 2018-01-08 02:28:52

Answering:
- update to 3.0.4 is not sufficient because it only removes the CORS code, it does not protect the RPC interface properly with a password.

- there is ticket Feature #15022 to upgrade Electrum in Tails. Electrum 3.0.5 was just released which:
a) properly protects the RPC interface with a password (128 bit of entropy if not set by user);
b) disables RPC commands entirely when the GUI is running (only allows ping, to make sure one single instance is running)

3.0.5 was just uploaded to unstable and then it will be ported to stretch-backports and included in Tails.

As for the discussion related to how Electrum in Tails can be exploited (Tails itself doesn’t have any problems). Older version of Electrum are not exploitable in Tails particular firewall setup, looking from the ‘malicious website attack’ point of view, where the only ways in are Unsafe Browser and Tor Browser which are properly configured to NOT allow access to Electrum daemon’s RPC interface. I can’t explain why.

Internal traffic from localhost to localhost is allowed in Tails (?):
source: https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/ferm/ferm.conf

<code class="text">
table filter {
        chain INPUT {
            policy DROP;

            # Established incoming connections are accepted.
            mod state state (ESTABLISHED) ACCEPT;

            # Traffic on the loopback interface is accepted.
            interface lo ACCEPT;
        }
</code>

or is it stopped on OUTPUT chain? This is some neat firewall we have.

curl was blocked by the firewall because it’s configured to go only through Tor, without being able to reach localhost.

Prior to 3.0.5, Electrum in GUI mode would (at least theoretically) require to talk to the daemon via RPC, but I don’t understand exactly why it works in our system like this. Maybe already established connections are allowed and new ones dropped?

#7 Updated by intrigeri 2018-01-10 15:55:04

> Internal traffic from localhost to localhost is allowed in Tails (?):
> […]
> or is it stopped on OUTPUT chain? This is some neat firewall we have.

The latter: see the outerface lo section in the OUTPUT chain.

> Prior to 3.0.5, Electrum in GUI mode would (at least theoretically) require to talk to the daemon via RPC, but I don’t understand exactly why it works in our system like this. Maybe already established connections are allowed and new ones dropped?

I don’t understand, sorry!

#8 Updated by mercedes508 2018-01-10 18:00:20

  • Priority changed from High to Normal

#9 Updated by s7r 2018-01-12 20:45:08

intrigeri wrote:
> > Prior to 3.0.5, Electrum in GUI mode would (at least theoretically) require to talk to the daemon via RPC, but I don’t understand exactly why it works in our system like this. Maybe already established connections are allowed and new ones dropped?
>
> I don’t understand, sorry!

In versions prior to 3.0.5 of Electrum, when Electrum GUI was started, the daemon was first started in the background and Electrum GUI (theoretically) explicitly required RPC to talk to Electrum daemon. As of 3.0.5 the GUI doesn’t have this requirement, so the RPC server is almost entirely disabled when Electrum is running in GUI mode (only ping is allowed to check if running true/false, that’s all).

I guess we can mark this as duplicate and we’ll stick on Feature #15022? 3.0.5 just landed in testing, waiting for `stable-backports` currently `stretch-backports`.

#10 Updated by mercedes508 2018-01-14 19:34:24

  • Assignee changed from s7r to dareaper

Anything against marking this as a duplicate?

#11 Updated by s7r 2018-01-14 22:33:19

  • Status changed from New to Duplicate
  • Assignee deleted (dareaper)
  • QA Check deleted (Info Needed)

Marking this as duplicate, Feature #15022 takes care of this.

#12 Updated by intrigeri 2018-01-15 11:10:03

  • is duplicate of Feature #15022: Electrum package update to version 3.0.6 added