Sigma Prime conducted a security audit of eth-docker 220.127.116.11 during March and April 2023, with findings presented on April 30th 2023.
A huge thank-you to both Sigma Prime for the audit, and Ethereum Foundation for funding it.
There are one medium severity and four informational findings. The medium-severity finding is about the entropy used for JWT secret,
API manager token in Nimbus and Lodestar, Prysm wallet password, and Teku cert password: Entropy comes from
$RANDOM and is therefore only 16 bits.
eth-docker v2.3 addresses these findings. It now uses 64 bits of entropy and SHA-256 hash.
- Secrets entropy
Users that expose the Engine API with
ee-traefik.yml need to make sure that it is firewalled to trusted IPs.
Users that did so before eth-docker v2.3 may want to, in addition, update with
./ethd update, stop the stack with
jwtsecret docker volume with
docker volume ls and
docker volume rm, and start the stack with
- ED-05 recommends: "Use of clipboard for sensitive strings. Consider giving the user the option of using the clipboard for sensitive strings instead of storing the data in a file."
This was not addressed. Engine API JWT secret and keymanager API token need to be present in files for the clients to function. Prysm wallet password is stored in a file so the Prysm client can open it. Keymanager API token and Prysm wallet password are printed to stdout if the user requests them.