Login Sign Up

CVE-2020-10937

7.5 HIGH

📋 TL;DR

This vulnerability allows an attacker to create fake identities (Sybils) to manipulate the IPFS network's routing tables, potentially isolating targeted nodes from the rest of the network. It affects users running go-ipfs version 0.4.23, particularly those participating in the IPFS distributed hash table (DHT) for peer discovery and content routing.

💻 Affected Systems

Products:
  • go-ipfs
Versions: 0.4.23
Operating Systems: all
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using the IPFS DHT for peer routing; custom configurations that disable DHT may reduce exposure.

📦 What is this software?

Ipfs by Protocol

View all CVEs affecting Ipfs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Targeted nodes become completely unreachable on the IPFS network, disrupting file sharing and communication, leading to denial of service or data isolation.

🟠

Likely Case

Partial network disruption or degraded performance for affected nodes, making it harder to find or share content reliably.

🟢

If Mitigated

Minimal impact if patched or using later versions with DHT hardening; nodes remain functional with normal network connectivity.

🌐 Internet-Facing: HIGH, as the attack exploits the public IPFS network's peer-to-peer routing, requiring no internal access.
🏢 Internal Only: LOW, since the vulnerability is specific to the public IPFS DHT and does not rely on internal network configurations.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires network access and knowledge of IPFS protocols, but tools and research papers demonstrate feasibility.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.0 and later

Vendor Advisory: https://blog.ipfs.io/2020-10-30-dht-hardening/

Restart Required: Yes

Instructions:

1. Backup any critical data from the IPFS node. 2. Stop the IPFS service. 3. Download and install go-ipfs version 0.7.0 or newer from the official IPFS releases page. 4. Restart the IPFS service.

🔧 Temporary Workarounds

Disable DHT

all

Temporarily disable the Distributed Hash Table to prevent routing table poisoning, but this limits network functionality.

ipfs config Routing.Type none

🧯 If You Can't Patch

  • Monitor network logs for unusual peer connections or routing errors to detect potential attacks.
  • Restrict IPFS node exposure by using firewalls to limit inbound connections from untrusted sources.

🔍 How to Verify

Check if Vulnerable:

Check the installed go-ipfs version; if it is 0.4.23, the system is vulnerable.

Check Version:

ipfs version

Verify Fix Applied:

After updating, confirm the version is 0.7.0 or higher and test network connectivity by querying the DHT for known content.

📡 Detection & Monitoring

Log Indicators:

  • Unusual spikes in peer connections from unknown identities
  • Errors in DHT routing logs indicating failed lookups

Network Indicators:

  • Increased latency or timeouts in IPFS content retrieval
  • Abnormal network traffic patterns from Sybil nodes

SIEM Query:

Search for logs containing 'DHT error' or 'routing failure' from IPFS services, correlated with new peer IPs.

📊 Metadata

CVE ID: CVE-2020-10937
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: November 2, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON