perfSONAR Announcements

[Luke Young <>]

Hi [perfsonar-user],

I was only just recently made aware of the message that went out to [perfsonar-announce] regarding my DEFCON talk and I wanted to apologize since it seems some people were unnecessarily alarmed by it.

As Mark pointed out all of the vulnerabilities discussed in the talk have been patched and if your system is set to auto-update (which I highly recommend) you were already protected. 

Much of the confusion comes from the final slide of the linked PDF slides which indicates some of the issues are "unresolved". This is not correct and is an unfortunate side-effect of the DEFCON process where the initial presentation slides used during the call for papers application are uploaded to the site instead of the final slides. This slide was updated well before the actual presentation and correctly indicated the issues were fixed at the dates Mark mentioned.

Finally, I wanted to note that the perfSONAR team was absolutely wonderful to work with and had an incredible response time to these issues when they were reported. I've reported security issues to a large number of vendors and was pleasantly surprised by the response from the team, good job! While I mentioned this in-person at the end of my talk it doesn't appear in the previously mentioned PDF which is the only public record of the talk (video coming at some point in the future) so I wanted to acknowledge the team here as well.

Best,

Luke Young

On Wed, Aug 10, 2016 at 9:32 AM, Mark Feit <> wrote:

At the DEFCON conference in Las Vegas last week, Luke Young gave a presentation entitled Attacking Network Infrastructure to Generate a 4 Tb/s DDOS for $5 which outlined a trio of vulnerabilities in perfSONAR.  The development team has fielded questions about it, so for everyone’s benefit, here is a summary of the vulnerabilities and the current status of each:

 

Remote command execution (RCE) in a CGI script:  This vulnerability was discovered earlier and eliminated when perfSONAR 3.5.1 was released in March.

 

XML external entity (XXE) in OPPD:  This vulnerability required that OPPD be running as the superuser, which is not its usual mode of operation.  Launching an attack of the magnitude described in the presentation would require that configuration on a large number of nodes.  It was eliminated within hours of Mr. Young making us aware of its existence, and the updated software was announced the same day (July 7).

 

Privilege escalation in the configuration daemon:  This vulnerability required shell access to the system to exploit.  It was eliminated within hours of Mr. Young making us aware of its existence, and the updated software was announced the same day (July 7).

 

All auto-updating perfSONAR systems were no longer subject to exploits of these vulnerabilities as of July 7.

 

The development team will continue to be on the lookout for bugs in perfSONAR and will continue to promptly patch those we discover or are brought to our attention.  We would like to thank Mr. Young for sharing his discoveries with us.

 

 

Links:

 

July 7 patch announcement:  https://lists.internet2.edu/sympa/arc/perfsonar-announce/2016-07/msg00000.html

 

Archive of perfSONAR vulnerabilities which have been discovered and patched: http://www.perfsonar.net/deploy/vulnerability-archive.

 

Mr. Young’s presentation (on the DEFCON web site):  https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Luke-Young-The-4TbS-Ddos-For-5-bucks.pdf