ZEND Node Application Disclosure and Fixes
On Feb 17, 2023, our security team was notified of potential vulnerabilities in the ZEND node application that could allow an attacker to perform a Denial of Service attack against a node.
Today a new release of ZEND (version 3.3.0) addressing these vulnerabilities has been made available. Please make sure you update your Mainnet nodes as soon as possible.
Feb 17th: The Horizen Labs incident response team met with Halborn and other projects to discuss the details of the vulnerabilities found
Feb 17th: The Horizen Labs response team analyzed the information provided by Halborn in an attempt to understand the vulnerabilities and create a remediation plan
Feb 18th: The fix for one of the vulnerabilities and the existing OpenSSL vulnerability was completed, although we were not able to reproduce the symptoms for the fixed vulnerability.
Feb 19th – 20th: The Horizen Labs response team continued analyzing another vulnerability in an attempt to understand if the attack was applicable to our ecosystem while continuing to develop a patch to resolve these vulnerabilities
Feb 21st – 22nd: We validated the fixes with Halborn performing the final testing
Mar 6th: Disclosure timeline confirmed
Mar 13th: ZEND 3.3.0 released to resolve the vulnerabilities
The new 3.3.0 version is available for download on GitHub, the APT repository and via Docker and mitigates the vulnerabilities listed below.
With ZEN 3.3.0, we provide a security fix for:
- P2P DoS
- OpenSSL Feb 7 Security Advisory
Note that ZEN 3.3.0 does not have any impact on the planned deprecation of ZEN 3.2.1 or the next deprecation cycle ending in April 2023.
ZEN 3.3.0 will deprecate on April 7, 2023, around noon UTC. Please make sure you update to ZEN 4.0.0 (to be released) before then if you’re still running ZEN 3.3.0.DOWNLOAD ZEN 3.3.0 NOW
- Did this vulnerability lead to a security breach in the Horizen network??
No. The team was notified by Halborn upon finding it. No denial of service attack was attempted on our partners or node operators.
- What steps have been taken to ensure the security of the Horizen network?
Horizen is uniquely positioned to monitor the network for any abnormal conditions utilizing the Secure and Super Node network. Measures have been put in place to monitor for and detect any early warning signs of a potentially ongoing attack, however unlikely.
Yes. There was no attack on Horizen blockchain. Please always follow the general security best practices to keep your funds safe
- Will any Horizen nodes miss out on node payouts due to this vulnerability?
No. There was no denial of service attack attempted on our node operators.
- Who can we talk to for more information about the vulnerability?
We recommend reaching out to Halborn directly to discuss questions about their findings on this vulnerability.