Login Sign Up

CVE-2018-6317

9.1 CRITICAL
Denial of Service

📋 TL;DR

This vulnerability in Claymore Dual Miner's remote management interface allows unauthenticated attackers to execute format string attacks. Attackers can read sensitive memory contents or crash the miner software, causing denial of service. Anyone running Claymore Dual Miner 10.5 or earlier with the remote management interface exposed is affected.

💻 Affected Systems

Products:
  • Claymore Dual Miner
Versions: 10.5 and earlier
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the remote management interface which is enabled by default on port 3333

📦 What is this software?

Claymore Dual Miner by Claymore Dual Miner Project

View all CVEs affecting Claymore Dual Miner →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, cryptocurrency theft, or installation of persistent malware

🟠

Likely Case

Denial of service (miner crash) or memory disclosure revealing sensitive information like wallet addresses or mining credentials

🟢

If Mitigated

No impact if remote management interface is not exposed to untrusted networks

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation possible from any internet-connected attacker
🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or compromised internal systems

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on Exploit-DB, simple format string exploitation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.6 and later

Vendor Advisory: https://bitcointalk.org/index.php?topic=1433925.msg29359946#msg29359946

Restart Required: Yes

Instructions:

1. Download Claymore Dual Miner version 10.6 or later from official sources
2. Stop the mining software
3. Replace the vulnerable executable with the patched version
4. Restart the mining software

🔧 Temporary Workarounds

Disable Remote Management Interface

all

Disable the vulnerable remote management interface entirely

Edit config.txt and remove or comment out '-mport' parameter
Or run miner with '-mport 0' flag

Restrict Network Access

all

Block external access to the management port using firewall rules

Windows: netsh advfirewall firewall add rule name="Block Claymore Port" dir=in action=block protocol=TCP localport=3333
Linux: iptables -A INPUT -p tcp --dport 3333 -j DROP

🧯 If You Can't Patch

  • Isolate mining systems on separate network segments with strict firewall rules
  • Implement network monitoring for exploitation attempts on port 3333

🔍 How to Verify

Check if Vulnerable:

Check if Claymore Dual Miner version is 10.5 or earlier and remote management interface is enabled (port 3333 open)

Check Version:

Check miner startup logs or run with '-h' flag to display version

Verify Fix Applied:

Verify version is 10.6 or later and test that format string payloads no longer cause crashes or memory disclosure

📡 Detection & Monitoring

Log Indicators:

  • Unexpected miner crashes
  • Strange format strings in management interface logs
  • Memory access violation errors

Network Indicators:

  • Unusual traffic to port 3333 with format string patterns
  • Exploitation attempts with %n, %s, %x format specifiers

SIEM Query:

source="claymore.log" AND ("access violation" OR "segmentation fault" OR "format string")

📊 Metadata

CVE ID: CVE-2018-6317
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-134
Published: February 2, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-6317, you might also want to check these:

CVE-2021-41193 9.8

CVE-2021-41193 is a remote format string vulnerability in wire-avs, the audio visual signaling compo...

Same vulnerability type (CWE-134)
CVE-2021-42911 9.8

This is a critical format string vulnerability in DrayTek router firmware that allows remote attacke...

Same vulnerability type (CWE-134)
CVE-2020-13160 9.8

This CVE describes a format string vulnerability in AnyDesk on Linux and FreeBSD systems that allows...

Same vulnerability type (CWE-134)