Thanks a lot, Bruce. On Fri, Sep 15, 2023 at 10:32 PM Bruce A. Mah <b...@es.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ESnet Software Security Advisory > ESNET-SECADV-2023-0002 > > Topic: iperf3 Server Denial of Service > Issued: 13 September 2023 > Revised: 15 September 2023 > Credits: Jorge Sancho Larraz (Canonical) > Affects: iperf-3.14 and earlier > Corrected: iperf-3.15 > > I. Background > > iperf3 is a utility for testing network performance using TCP, UDP, > and SCTP, running over IPv4 and IPv6. It uses a client/server model, > where a client and server communicate the parameters of a test, > coordinate the start and end of the test, and exchange results. This > message exchange takes place over a TCP "control connection". > > II. Problem Description > > The iperf3 server and client will, at various times, send data over > the control connection that control the parameters, start and stop of > a test, and result exchange. Many of these data have some expected > length to them (whether fixed or variable). > > It is possible for a malicious or malfunctioning client to send less > than the expected amount of data to the server. If this happens, the > server will hang indefinitely waiting for the remainder (or until the > connection gets closed). Because iperf3 is deliberately designed to > service only one client connection at a time, this will prevent other > connections to the iperf3 server. > > III. Impact > > A malicious or misbehaving process can connect to an iperf3 server and > prevent other connections to the server indefinitely. This issue > mainly applies to an iperf3 server that is reachable from some > untrusted host or network, such as the public Internet. It might be > possible for a malicious iperf3 server to mount a similar attack on an > iperf3 client. > > iperf2 uses a different model of interaction between client and > server, and is not affected by this issue. > > IV. Workaround > > There is no workaround for this issue, however as best practice > dictates, iperf3 should not be run with root privileges, to minimize > possible impact. Note that iperf3 was not designed to be a > long-running server on the public Internet. > > V. Solution > > Update iperf3 to a version containing the fix (i.e. iperf-3.15 or > later). > > VI. Correction details > > The bug causing this vulnerability has been fixed by the following > commit in the esnet/iperf Github repository: > > master 5e3704dd850a5df2fb2b3eafd117963d017d07b4 > > All released versions of iperf3 issued on or after the date of this > advisory incorporate the fix. > > ESnet would like to thank Jorge Sancho Larraz (Canonical) for bringing > this issue to our attention. > > Security concerns with iperf3 can be submitted privately by sending an > email to the developers at <ip...@es.net>. > > V. Revision history > > 13 September 2023: Original version of security advisory. > > 15 September 2023: Corrected inaccurate information about iperf2. > > -----BEGIN PGP SIGNATURE----- > > iQEzBAEBCgAdFiEE+Fo4IENp9xo01E6DSYSRCoyq7ooFAmUEvc8ACgkQSYSRCoyq > 7oqu+Qf+MgZTo47gNDW98/1dWYMLBhAA9ptVh6BLknpxJ/S2HdeWKQNH68cSLG3b > VM7DkZSyCCmad77ySbr3w7/UoFbD1YJetDSdh3J73vdSQNClCUPG9ddSt45QuWsK > kvURAUWHA4lcR/ZsJruWTa9YNYV2qECVJd9zHmUJ9/o01IAoP5sfEQgJJaPX7JWZ > RyCu9rJVBq5yGlLL86338HIoMmNnD212CkDnpoIcEpdocwJ7dkCIZoOPh/KjYoWQ > tLGEgscW3JT9L1zwAjZuHy8vi+wNyXUr8/vLcns4K3FabYFzrKSq5ODs0qgNmpfS > PHOf94N6Qk97M1BA0A8qV9HLF2yS+w== > =FrPM > -----END PGP SIGNATURE----- > > > _______________________________________________ > Iperf-users mailing list > Iperf-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/iperf-users >
_______________________________________________ Iperf-users mailing list Iperf-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/iperf-users
