CVE-2017-12118

Vulnerability

An improper authorization vulnerability exists in the miner_stop API of cpp-ethereum's JSON-RPC server (commit 4e1015743b95821849d001618a7ce82c7c073768). The API lacks proper authorization checks, allowing any remote user to trigger functionality reserved for administrators. By default, the JSON-RPC interface binds to 0.0.0.0, exposing it to the internet, and does not enforce the Content-Type header, making it susceptible to CSRF/SSRF attacks [1].

Exploitation

An attacker only needs network access to the JSON-RPC endpoint. No authentication is required. The attacker sends a JSON-RPC request to the miner_stop method: 1) Identify an exposed cpp-ethereum node (default binding to 0.0.0.0). 2) Craft a JSON request with method "miner_stop". 3) The server processes the request without authorization, stopping the miner [1].

Impact

The attacker can stop the mining process on the targeted node, resulting in a denial-of-service condition affecting mining capability. The CVSSv3 score is 4.0 (medium) with low availability impact, but no confidentiality or integrity impact. However, combined with other attacks, this could be more severe [1].

Mitigation

The vulnerability was identified in the tested commit. Users should update to a version of cpp-ethereum that includes proper authorization for the miner_stop API. As a workaround, bind the JSON-RPC interface to localhost (if supported) or restrict network access to trusted hosts. No official fix is explicitly mentioned in the reference; the vendor may have addressed it in later commits [1].