{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/block-discovery/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-44499"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["zebrad (\u003c 4.4.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","zebra","block-discovery","gossip","syncer"],"_cs_type":"threat","_cs_vendors":["Zebra"],"content_html":"\u003cp\u003eA composite denial-of-service vulnerability in Zebra\u0026rsquo;s block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. This vulnerability, present in Zebra versions prior to 4.4.0, exploits three weaknesses in the gossip, syncer, and download subsystems. The attack is initiated from a single TCP connection, creating a monotonically growing block deficit that never self-heals. This vulnerability allows an attacker to suppress both block discovery paths simultaneously, causing the node to fall permanently behind the chain tip. The discovery of this vulnerability was reported through a coordinated disclosure process by Zebra the researcher.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a TCP connection to the targeted Zebra node.\u003c/li\u003e\n\u003cli\u003eAttacker floods the node with a high volume of \u003ccode\u003einv\u003c/code\u003e messages containing fake block hashes.\u003c/li\u003e\n\u003cli\u003eThe gossip download queue on the target node becomes saturated due to the lack of per-connection rate limits on \u003ccode\u003einv\u003c/code\u003e messages.\u003c/li\u003e\n\u003cli\u003eLegitimate block announcements from honest peers are dropped without warning, preventing normal block discovery via gossip.\u003c/li\u003e\n\u003cli\u003eAttacker sends \u003ccode\u003eFindBlocks\u003c/code\u003e requests to the target node, attempting to trigger the syncer path.\u003c/li\u003e\n\u003cli\u003eAttacker responds to \u003ccode\u003eFindBlocks\u003c/code\u003e requests with empty \u003ccode\u003einv\u003c/code\u003e messages, degrading the syncer path.\u003c/li\u003e\n\u003cli\u003eWhen the target node attempts to download blocks, the attacker responds with \u003ccode\u003eNotFound\u003c/code\u003e messages.\u003c/li\u003e\n\u003cli\u003eThe target node permanently falls behind the chain tip, requiring operator intervention to recover due to the suppression of both block discovery paths.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a permanent denial-of-service condition. The targeted Zebra node falls behind the chain tip and ceases to discover new blocks, effectively halting its participation in the network. The attack is unauthenticated and requires only a single TCP connection, making it easy to execute. Any Zebra node reachable over the peer-to-peer network is potentially vulnerable. Recovery requires manual intervention by the node operator.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Zebra version 4.4.0 or later to patch CVE-2026-44499, as the fix drops connections that send empty responses to \u003ccode\u003eFindBlocks\u003c/code\u003e and \u003ccode\u003eFindHeaders\u003c/code\u003e messages.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Zebra Syncer Path Degradation\u0026rdquo; to identify suspicious connections sending empty responses to \u003ccode\u003eFindBlocks\u003c/code\u003e and \u003ccode\u003eFindHeaders\u003c/code\u003e messages.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for excessive \u003ccode\u003einv\u003c/code\u003e message traffic from single peers to detect potential gossip queue saturation attacks.\u003c/li\u003e\n\u003cli\u003eReview firewall logs for unusual connection patterns targeting Zebra nodes, indicative of potential reconnaissance or exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-zebra-block-discovery-dos/","summary":"A denial-of-service vulnerability exists in Zebra's block discovery pipeline, allowing an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node by exploiting weaknesses in the gossip, syncer, and download subsystems.","title":"Zebra Block Discovery Denial-of-Service via Gossip Queue Saturation and Syncer Poisoning","url":"https://feed.craftedsignal.io/briefs/2024-01-zebra-block-discovery-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Block-Discovery","version":"https://jsonfeed.org/version/1.1"}