CVE-2017-12116

Vulnerability

An improper authorization vulnerability exists in the miner_setGasPrice API of cpp-ethereum's JSON-RPC server (commit 4e1015743b95821849d001618a7ce82c7c073768). The function lacks proper access controls, allowing any remote user to trigger functionality intended only for administrators. By default, the JSON-RPC interface binds to 0.0.0.0, exposing it to the network, and the server does not enforce the Content-Type header, making it susceptible to cross-site request forgery (CSRF) and server-side request forgery (SSRF) attacks [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted JSON-RPC request to the miner_setGasPrice endpoint without any authentication. The attack is remotely exploitable over the network and requires no privileged access or user interaction. Due to the lack of Content-Type enforcement and default exposure to all interfaces, an attacker can also leverage CSRF or SSRF techniques to trigger the request from a victim's browser or server [1].

Impact

Successful exploitation allows the attacker to bypass authorization and execute the miner_setGasPrice API, which sets the minimum gas price for mining operations. This could manipulate the economic parameters of the Ethereum node, potentially affecting transaction processing and mining rewards. The CVSSv3 score is 6.8, with high attack complexity but no confidentiality or availability impact, only integrity (N/I:H/A:N) [1].

Mitigation

As of the available references, no official patched version or workaround has been disclosed. Users are advised to restrict access to the JSON-RPC interface by binding it to localhost (127.0.0.1) and implementing proper authentication and Content-Type enforcement. Upgrading to a newer version of cpp-ethereum that addresses this issue may be considered when available [1].