Ethereum Name Service
Monthly
Improper RSA signature validation in Ethereum Name Service (ENS) versions 1.6.2 and earlier allows attackers to forge DNS signatures for domains under .cc and .name TLDs, enabling unauthorized domain claims on ENS without actual DNS ownership. The vulnerability exploits Bleichenbacher's 2006 attack against RSA keys with low public exponents (e=3), which are used by these two TLDs' Key Signing Keys. No patch is currently available, leaving affected domains vulnerable to takeover attacks.
Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity.
Improper RSA signature validation in Ethereum Name Service (ENS) versions 1.6.2 and earlier allows attackers to forge DNS signatures for domains under .cc and .name TLDs, enabling unauthorized domain claims on ENS without actual DNS ownership. The vulnerability exploits Bleichenbacher's 2006 attack against RSA keys with low public exponents (e=3), which are used by these two TLDs' Key Signing Keys. No patch is currently available, leaving affected domains vulnerable to takeover attacks.
Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, and later regain ownership without the new owners consent or awareness. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity.