perfSONAR Announcements

[Mark Feit <>]

At the DEFCON conference in Las Vegas last week, Luke Young gave a presentation entitled Attacking Network Infrastructure to Generate a 4 Tb/s DDOS for $5 which outlined a trio of vulnerabilities in perfSONAR.  The development team has fielded questions about it, so for everyone’s benefit, here is a summary of the vulnerabilities and the current status of each:

 

Remote command execution (RCE) in a CGI script:  This vulnerability was discovered earlier and eliminated when perfSONAR 3.5.1 was released in March.

 

XML external entity (XXE) in OPPD:  This vulnerability required that OPPD be running as the superuser, which is not its usual mode of operation.  Launching an attack of the magnitude described in the presentation would require that configuration on a large number of nodes.  It was eliminated within hours of Mr. Young making us aware of its existence, and the updated software was announced the same day (July 7).

 

Privilege escalation in the configuration daemon:  This vulnerability required shell access to the system to exploit.  It was eliminated within hours of Mr. Young making us aware of its existence, and the updated software was announced the same day (July 7).

 

All auto-updating perfSONAR systems were no longer subject to exploits of these vulnerabilities as of July 7.

 

The development team will continue to be on the lookout for bugs in perfSONAR and will continue to promptly patch those we discover or are brought to our attention.  We would like to thank Mr. Young for sharing his discoveries with us.

 

 

Links:

 

July 7 patch announcement:  https://lists.internet2.edu/sympa/arc/perfsonar-announce/2016-07/msg00000.html

 

Archive of perfSONAR vulnerabilities which have been discovered and patched: http://www.perfsonar.net/deploy/vulnerability-archive.

 

Mr. Young’s presentation (on the DEFCON web site):  https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Luke-Young-The-4TbS-Ddos-For-5-bucks.pdf