Source: iperf3 Version: 3.13-2 Severity: serious Tags: security upstream X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
A security advisory for iperf3 has been issued. https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ESnet Software Security Advisory ESNET-SECADV-2023-0001 Topic: iperf3 memory allocation hazard and crash Issued: 7 July 2023 Credits: @someusername123 via GitHub Affects: iperf-3.13 and earlier Corrected: iperf-3.14 Cross-references: esnet/iperf#1542 on GitHub I. Background iperf3 is a utility for testing network performance using TCP, UDP, and SCTP, running over IPv4 and IPv6. It uses a client/server model, where a client and server communicate the parameters of a test, coordinate the start and end of the test, and exchange results. This message exchange takes place over a TCP "control connection". II. Problem Description The iperf3 server and client will, at various times, exchange JSON-formatted messages containing parameters and test results. By convention, the actual JSON representation is preceded by a four-byte integer that gives the length of the JSON message. iperf3 uses the length to determine the size of a dynamically allocated memory buffer in which to store the incoming message. If the length equals 0xffffffff, an integer overflow can be triggered in the receiving iperf3 process (typically the server), which can in turn cause heap corruption and an abort/crash. While this is unlikely to happen during normal iperf3 operation, a suitably crafted client program could send a sequence of bytes on the iperf3 control channel to cause an iperf3 server to crash. III. Impact A malicious process can connect to an iperf3 server and, by sending a malformed message on the control channel, cause the server process to abort due to heap corruption. A malicious iperf3 server could potentially mount a similar attack on an iperf3 client. Among the officially supported platforms, this problem has only been observed on Linux. So far, it has not been reproduced with iperf3 running under Linux or macOS. iperf2, an older version of the iperf utility, uses a different model of interaction between client and server, and is not affected by this issue. IV. Workaround There is no workaround for this issue, however as best practice dictates, iperf3 should not be run with root privileges, to minimize possible impact. V. Solution Update iperf3 to a version containing the fix (i.e. iperf-3.14 or later). VI. Correction details The bug causing this vulnerability has been fixed by the following commit in the esnet/iperf Github repository: master 0ef151550d96cc4460f98832df84b4a1e87c65e9 All released versions of iperf3 issued on or after the date of this advisory incorporate the fix. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE+Fo4IENp9xo01E6DSYSRCoyq7ooFAmSogHEACgkQSYSRCoyq 7orOGwgAwoF1S8ta/be1y90NYif36DnXDLjEvgcPwnFy4YadG4bI5Rx3btO73NGH Xp/T/PXROtU40Qu3TaQsmEGFn46I+hgbGyzd11oxX1mysK6n0U3BUPCdgn7+JA5A vpFfL4mo1efYe5cBEEUy6fnY7PipC4ltYv6I0jb4zprQalKZaPaP4TVm4si+vNKT TViLgOZzvelIatKPl0SY7SEEQj7vkJDNw89kxQG9jZExeS1qLgPwRsmyR0b4TTDc MMtUjn4Zl/uR2vCPeEmxTmh+QutY35vOw4N6vaqaUcHspNGJrWy5XW4QuIGEsbBq KLsKmkzHa/fYp+1SesgNMrJkutOo2g== =puru -----END PGP SIGNATURE-----
