Unpatched Ethereum clients could pose risk of 51% attack, says report

• A significant number of unpatched nodes were found in popular clients such as Parity-Ethereum and Geth.
• Attackers could leverage these vulnerable nodes to carry out 51 percent attacks.

Ethereum may be the second most-favorite among blockchain users but research has uncovered serious security vulnerabilities found across the platform. As per a blog published by Security Research Labs, vulnerabilities in the Ethereum ecosystem were mainly due to unpatched nodes in the network. These nodes were of popular clients such as Parity-Ethereum and Geth.

Key Findings

• According to the blog, a third of Parity-Ethereum nodes were left unpatched even after a critical security patch was released a month ago. It was found that around 40 percent of all scanned Parity-Ethereum nodes were vulnerable.
• Furthermore, seven percent of active Parity-Ethereum nodes were not patched for nine months.
• It was discovered that the unpatched nodes could be remotely crashed. Nodes prior to versions 2.2.10 were susceptible.
• The other software client Geth had around 44 percent of vulnerable nodes which were running a version prior to v.1.8.20.

Missing ‘Patch Hygiene’

Security Research Labs suggested that most Ethereum users did not regularly patch their client software.

“The lack of patch hygiene among Ethereum users suggests that more serious vulnerabilities might also survive for days, weeks, or months among a significant number of Ethereum users, putting their own security and the integrity of the Ethereum ecosystem at risk. The consequences of the patch gap would be most severe if a remote code execution were found in a popular client software.” indicated the blog.

Unpatched Ethereum clients can be exploited by attackers in great numbers to carry out 51 percent attacks, where they can abuse computational power to conduct illicit double-spending. Therefore, blockchain users are advised to patch their software clients as soon as critical updates are available.