perfSONAR User Q&A and Other Discussion

[Bruce Mah <>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

ESnet Software Security Advisory
ESNET-SECADV-2016-0001

Topic:                  iperf3 JSON parsing vulnerability
Issued:                 8 June 2016
Credits:                Dave McDaniel, Cisco Talos
Affects:                iperf-3.1.2 and earlier,
                        iperf-3.0.11 and earlier
Corrected:              iperf-3.1.3, iperf-3.0.12
Cross-references:       TALOS-CAN-0164, CVE-2016-4303

I.  Background

iperf3 is a utility for testing network performance using TCP, UDP,
and SCTP, running over IPv4 and IPv6.  It uses a client/server model,
where a client and server communicate the parameters of a test,
coordinate the start and end of the test, and exchange results.  This
message exchange takes place over a TCP control connection, and relies
on a modified version of the open-source cjson library for rendering
and parsing the various messages in JSON.

II.  Problem Description

A bug exists in the way that the included version of the cjson library
handles Unicode literals in JSON string constants.  A malformed
Unicode literal can cause a process parsing a block of JSON to
overwrite a pre-allocated buffer in the heap.  Note that this bug has
already been fixed in recent versions of cjson.

III.  Impact

A malicious process can connect to an iperf3 server and, by sending a
malformed message on the control channel, corrupt the server process's
heap area.  This can lead to a crash (and a denial of service), or
theoretically a remote code execution as the user running the iperf3
server.  A malicious iperf3 server could potentially mount a similar
attack on an iperf3 client.

iperf2, an older version of the iperf utility, uses a different model
of interaction between client and server, and is not affected by this
issue.

IV.  Workaround

There is no workaround for this issue, however as best practice
dictates, iperf3 should not be run with root privileges, to minimize
possible impact.

V.  Solution

Update iperf3 to a version containing the fix.  On the 3.1 release
train, versions 3.1.3 and later contain the fix.  On the 3.0 release
train, versions 3.0.12 and later contain the fix.

Because iperf3 incorporates a modified version of the cjson library,
it is necessary to explicitly update iperf3 to fix this issue,
separately from any other installation of cjson (if present).

VI.  Correction details

The bug causing this vulnerability has been fixed by the following
commits in the esnet/iperf3 Github repository:

master          ed94082be27d971a5e1b08b666e2c217cf470a40
3.1-STABLE      f01a9ca8f7e878e438a53687dabe30b7f7222912
3.0-STABLE      91f2fa59e8ed80dfbf400add0164ee0e508e412a,
                7856eb935d511ddb5b5c7d431d1056c9daff0a2a

All released versions of iperf3 issued on or after the date of this
advisory incorporate the fix.
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJXVz9kAAoJEEmEkQqMqu6KCkQH+waaTGN8XO8STaHB14H53xAc
n5jfRmgMH832Wekqe2Pxhb5Z1psJJv32oUsHg2V+6XyxcbpOhs/VQ5LtGumWi+mV
P1UkczzvDjz+NSlFXaOVlAPV/UhuUfEYBVTd3WvGz669aDfE7ztL6+0sbDiNkPYT
LQ38Wl/opuyaC8YC5S82xz6atYx+3uS0PfYDot1yu0C22v/V0iZ8+rV2wtiLnyth
5paT8OXlkzkhAFycjewXnzGqtXaL9rlcHqJp7713fnFsRNhDQW66Hb8viGqtnHPJ
PV+M7f+QnX1lsLrNtWhi4PGIlTayTjUqv/Cu9zc5fxNsZytlFVI6lytkRsqOlbY=
=SRVl
-----END PGP SIGNATURE-----