Sigma Prime conducted a security audit of eth-docker 184.108.40.206 during March and April 2023, with findings presented on April 30th 2023.
A huge thank-you to both Sigma Prime for the audit, and Ethereum Foundation for funding it.
There are one high severity and four informational findings. The high-severity finding is about the entropy used for JWT secret,
API manager token in Nimbus and Lodestar, Prysm wallet password, and Teku cert password: Entropy comes from
$RANDOM and is therefore only 16 bits.
eth-docker v2.3 addresses these findings. It now uses 64 bits of entropy and SHA-256 hash.
Users that expose the Engine API with
ee-traefik.yml need to make sure that it is firewalled to trusted IPs.
Users that did so before eth-docker v2.3 may want to, in addition, update with
./ethd update, stop the stack with
jwtsecret docker volume with
docker volume ls and
docker volume rm, and start the stack with
My own likelihood assessment for exploitation is "Low", not "Medium". This is because
- The Engine API by default is not exposed. Only users who expose the Engine API with
ee-traefik.ymland allow access by untrusted addresses are at risk.
- The Prysm wallet and Teku cert file are not accessible remotely.
- The keymanager API is not accessible remotely: At most locally if using
ED-05 recommends: "Use of clipboard for sensitive strings. Consider giving the user the option of using the clipboard for sensitive strings instead of storing the data in a file."
This was not addressed. JWT secret and API token need to be present in files for the clients to function. Prysm wallet password is stored in a file so the Prysm client can open it. Keymanager API token and Prysm wallet password are printed to stdout if the user requests them.