This vulnerability was discovered by Lilith (>_>) of Cisco Talos.

The Epee library, which is leveraged by a large number of cryptocurrencies, contains an exploitable code execution vulnerability in the Levin deserialization functionality. An attacker can send a specially crafted network packet to cause a logic flaw, resulting in remote code execution.

In accordance with our coordinated disclosure policy, Cisco Talos has worked with the developers of Monero 'Lithium Luna' to ensure that these issues have been resolved and that an update has been made available for affected users. It is recommended that this update is applied as quickly as possible to ensure that systems are no longer affected by this vulnerability.

Vulnerability Details

Epee Levin Packet Deserialization Code Execution Vulnerability (TALOS-2018-0637 / CVE-2018-3972)
The Levin network protocol is an implementation of peer-to-peer (P2P) communications found in a large number of cryptocurrencies, including all of the currencies that are forked from the CryptoNote project. A few different implementations of Levin are in existence. This post, however, is focused on the Epee library implementation. This library is used in a large number of cryptocurrencies, most notably Monero. A vulnerability exists in the way the library deserializes the Levin protocol, leading to an incorrect type conversion or cast, which can be abused to gain remote code execution. For additional information, please see the advisory here.

The vulnerability was tested on Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700).

The following Snort ID will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or

Snort Rules: 47342