perfsonar-announce - Re: [perfsonar-announce] DEFCON Presentation on perfSONAR Vulnerabilities
Subject: perfSONAR Announcements
List archive
- From: Luke Young <>
- To: "" <>
- Cc: "" <>
- Subject: Re: [perfsonar-announce] DEFCON Presentation on perfSONAR Vulnerabilities
- Date: Tue, 23 Aug 2016 22:19:40 -0700
- Ironport-phdr: 9a23:CcHlYx1YfWN/J1qIsmDT+DRfVm0co7zxezQtwd8ZsesfIvad9pjvdHbS+e9qxAeQG96Eu7QZ0KGP7ujJYi8p39WoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6i760TlHUA3yLwRuIeL8AMvPlMmt/+G055DJZQhU3nywba44ZEGuoB/frc4QiJEnN7080DPIpGdFYeJb2TkuKF6OyUXS/MC1qbp+8CkYivU88cEIBaD3V64/V7FUSjkgPGEz6cDx40qQBTCT72cRBz1F2iFDBBLIuUn3
At the DEFCON conference in Las Vegas last week, Luke Young gave a presentation entitled Attacking Network Infrastructure to Generate a 4 Tb/s DDOS for $5 which outlined a trio of vulnerabilities in perfSONAR. The development team has fielded questions about it, so for everyone’s benefit, here is a summary of the vulnerabilities and the current status of each:
Remote command execution (RCE) in a CGI script: This vulnerability was discovered earlier and eliminated when perfSONAR 3.5.1 was released in March.
XML external entity (XXE) in OPPD: This vulnerability required that OPPD be running as the superuser, which is not its usual mode of operation. Launching an attack of the magnitude described in the presentation would require that configuration on a large number of nodes. It was eliminated within hours of Mr. Young making us aware of its existence, and the updated software was announced the same day (July 7).
Privilege escalation in the configuration daemon: This vulnerability required shell access to the system to exploit. It was eliminated within hours of Mr. Young making us aware of its existence, and the updated software was announced the same day (July 7).
All auto-updating perfSONAR systems were no longer subject to exploits of these vulnerabilities as of July 7.
The development team will continue to be on the lookout for bugs in perfSONAR and will continue to promptly patch those we discover or are brought to our attention. We would like to thank Mr. Young for sharing his discoveries with us.
Links:
July 7 patch announcement: https://lists.internet2.edu/
sympa/arc/perfsonar-announce/ 2016-07/msg00000.html
Archive of perfSONAR vulnerabilities which have been discovered and patched: http://www.perfsonar.
net/deploy/vulnerability- .archive
Mr. Young’s presentation (on the DEFCON web site): https://media.defcon.org/DEF%
20CON%2024/DEF%20CON%2024% 20presentations/DEFCON-24- Luke-Young-The-4TbS-Ddos-For- 5-bucks.pdf
- [perfsonar-announce] DEFCON Presentation on perfSONAR Vulnerabilities, Mark Feit, 08/10/2016
- Re: [perfsonar-announce] DEFCON Presentation on perfSONAR Vulnerabilities, Luke Young, 08/24/2016
Archive powered by MHonArc 2.6.19.