Zebra Denial-of-Service Vulnerability in Block Discovery Pipeline

A composite denial-of-service vulnerability has been identified in Zebra, a Zcash node implementation in Rust, affecting all versions prior to 4.4.0. The vulnerability allows an unauthenticated remote attacker to permanently disrupt block discovery on a targeted node. This is achieved by exploiting three independent weaknesses in Zebra's gossip, syncer, and download subsystems, all through a single TCP connection. The attack creates a growing backlog of missed blocks that the node cannot recover from without manual intervention.

Impact

Exploitation of this vulnerability leads to a permanent halt in block discovery on the affected node, causing it to fall behind the chain tip and remain there indefinitely without operator intervention.

Remediation

Users are advised to upgrade to Zebra version 4.4.0 or later. This version addresses the vulnerability by dropping connections that send empty responses to block discovery requests, thereby preventing the degradation of the syncer path.