perfSONAR Announcements

[Andrew Lake <>]

All,

See the attached message for details on an important security fix to iperf3. It is highly recommended all perfSONAR users update to iperf3 version 3.1.3 as soon as possible. If you are running auto-updates you should get the new version within the next 24-48 hours (if not already) depending on how quickly mirrors update.  If you are not running auto-updates, you may run “yum update iperf3” on CentOS/RedHat or "apt-get update && apt-get upgrade iperf3" on Debian/Ubuntu. If you don’t see the update yet, please be patient as the packages were just uploaded prior to the sending of this note and the mirrors need time to sync. 

Though everyone should update as soon as possible, it should be stated that the way in which the average perfSONAR box executes iperf3 should limit the severity of any potential attacks from this vulnerability in the following ways:

- In the perfSONAR use case, the iperf3 client and server processes are started by the BWCTL command as an unprivileged ‘bwctl’ user.  This limits the types of things an attacker can do on the system. Likely they could interrupt the iperf3 process, but it is not clear they could do much else on a properly configured host. 

- BWCTL only runs iperf3 for a few seconds at a time and then closes the connection, minimizing the time window in which things may be vulnerable. This is further minimized by the fact that the vulnerability only exists during the exchange of test parameters and not other parts of the protocol exchange (such as when the test is running and results are reported). 

Regardless of these facts though, the best course of action is to update as soon as you can to eliminate the vulnerability entirely.

Once again, for further details see the official announcement from the iperf3 project shown below. Also let us know if you have any further questions regarding how this may affect your perfSONAR box. 

Thank you,

The perfSONAR Development Team

On June 8, 2016 at 3:02:59 PM, Bruce Mah () wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

ESnet Software Security Advisory
ESNET-SECADV-2016-0001

Topic: iperf3 JSON parsing vulnerability
Issued: 8 June 2016
Credits: Dave McDaniel, Cisco Talos
Affects: iperf-3.1.2 and earlier,
iperf-3.0.11 and earlier
Corrected: iperf-3.1.3, iperf-3.0.12
Cross-references: TALOS-CAN-0164, CVE-2016-4303

I. Background

iperf3 is a utility for testing network performance using TCP, UDP,
and SCTP, running over IPv4 and IPv6. It uses a client/server model,
where a client and server communicate the parameters of a test,
coordinate the start and end of the test, and exchange results. This
message exchange takes place over a TCP control connection, and relies
on a modified version of the open-source cjson library for rendering
and parsing the various messages in JSON.

II. Problem Description

A bug exists in the way that the included version of the cjson library
handles Unicode literals in JSON string constants. A malformed
Unicode literal can cause a process parsing a block of JSON to
overwrite a pre-allocated buffer in the heap. Note that this bug has
already been fixed in recent versions of cjson.

III. Impact

A malicious process can connect to an iperf3 server and, by sending a
malformed message on the control channel, corrupt the server process's
heap area. This can lead to a crash (and a denial of service), or
theoretically a remote code execution as the user running the iperf3
server. A malicious iperf3 server could potentially mount a similar
attack on an iperf3 client.

iperf2, an older version of the iperf utility, uses a different model
of interaction between client and server, and is not affected by this
issue.

IV. Workaround

There is no workaround for this issue, however as best practice
dictates, iperf3 should not be run with root privileges, to minimize
possible impact.

V. Solution

Update iperf3 to a version containing the fix. On the 3.1 release
train, versions 3.1.3 and later contain the fix. On the 3.0 release
train, versions 3.0.12 and later contain the fix.

Because iperf3 incorporates a modified version of the cjson library,
it is necessary to explicitly update iperf3 to fix this issue,
separately from any other installation of cjson (if present).

VI. Correction details

The bug causing this vulnerability has been fixed by the following
commits in the esnet/iperf3 Github repository:

master ed94082be27d971a5e1b08b666e2c217cf470a40
3.1-STABLE f01a9ca8f7e878e438a53687dabe30b7f7222912
3.0-STABLE 91f2fa59e8ed80dfbf400add0164ee0e508e412a,
7856eb935d511ddb5b5c7d431d1056c9daff0a2a

All released versions of iperf3 issued on or after the date of this
advisory incorporate the fix.
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJXVz9kAAoJEEmEkQqMqu6KCkQH+waaTGN8XO8STaHB14H53xAc
n5jfRmgMH832Wekqe2Pxhb5Z1psJJv32oUsHg2V+6XyxcbpOhs/VQ5LtGumWi+mV
P1UkczzvDjz+NSlFXaOVlAPV/UhuUfEYBVTd3WvGz669aDfE7ztL6+0sbDiNkPYT
LQ38Wl/opuyaC8YC5S82xz6atYx+3uS0PfYDot1yu0C22v/V0iZ8+rV2wtiLnyth
5paT8OXlkzkhAFycjewXnzGqtXaL9rlcHqJp7713fnFsRNhDQW66Hb8viGqtnHPJ
PV+M7f+QnX1lsLrNtWhi4PGIlTayTjUqv/Cu9zc5fxNsZytlFVI6lytkRsqOlbY=
=SRVl
-----END PGP SIGNATURE-----

--
You received this message because you are subscribed to the Google Groups "iperf-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to .
To post to this group, send email to .
Visit this group at https://groups.google.com/group/iperf-dev.
For more options, visit https://groups.google.com/d/optout.