SVG:Advisory-SVG-CVE-2016-4303

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template RAT/Membership Documents Assessment Secure Coding Info for SVG members

Advisory-SVG-CVE-2016-4303




Title:       EGI SVG Advisory [TLP:WHITE] CRITICAL risk CVE-2016-4303 in iperf3 in Perfsonar [EGI-SVG-CVE-2016-4303] 

Date:        2016-06-13
Updated:     

Affected software and risk
==========================

CRITICAL risk vulnerability concerning iperf3 used in perfSONAR 

Package : iperf3 (used in perfSONAR)
CVE ID  : CVE-2016-4303 

A buffer overflow vulnerability has been found for which there a lot of public information, 
which allows an unauthenticated remote attack on the service.  

Actions required/recommended
============================
 
Sites running perfSONAR are required to urgently install a non-vulnerable version of iperf3 if 
they have not done so already.

All running resources MUST be either patched or have software removed by 2016-06-21  00:00 UTC

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. 

Affected software details
=========================

versions iperf-3.1.2 and earlier are affected
versions iperf-3.0.11 and earlier are affected

fixed in versions iperf-3.1.3, iperf-3.0.12

More information
================

It is probably difficult to do more than a DoS, but since a more serious attack cannot be ruled out 
EGI SVG has assessed this vulnerability as 'Critical'.

Many sites are likely to have automatically updated. 

More information is available at [R 1], [R 2]

Most people who run perfSONAR should have received this note already anyway:--

An important security fix to iperf3. It is highly recommended all perfSONAR users update to iperf3 version 
3.1.3 as soon as possible. If you are running auto-updates you should get the new version within the 
next 24-48 hours (if not already) depending on how quickly mirrors update.  If you are not running auto-updates, 
you may run “yum update iperf3” on CentOS/RedHat or "apt-get update && apt-get upgrade iperf3" on Debian/Ubuntu. 
If you don’t see the update yet, please be patient as the packages were just uploaded prior to the sending of 
this note and the mirrors need time to sync.

Though everyone should update as soon as possible, it should be stated that the way in which the average perfSONAR 
box executes iperf3 should limit the severity of any potential attacks from this vulnerability in the following ways:

- In the perfSONAR use case, the iperf3 client and server processes are started by the BWCTL command as an 
unprivileged ‘bwctl’ user.  This limits the types of things an attacker can do on the system. Likely they 
could interrupt the iperf3 process, but it is not clear they could do much else on a properly configured host.

- BWCTL only runs iperf3 for a few seconds at a time and then closes the connection, minimizing the time window 
in which things may be vulnerable. This is further minimized by the fact that the vulnerability only exists 
during the exchange of test parameters and not other parts of the protocol exchange (such as when the test is 
running and results are reported).

Regardless of these facts though, the best course of action is to update as soon as you can to eliminate the 
vulnerability entirely.

Once again, for further details see the official announcement from the iperf3 project shown below. 
Also let us know if you have any further questions regarding how this may affect your perfSONAR box.

Thank you,
The perfSONAR Development Team




On June 8, 2016 at 3:02:59 PM, Bruce Mah (bmah@es.net<mailto:bmah@es.net>) wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

ESnet Software Security Advisory
ESNET-SECADV-2016-0001

Topic: iperf3 JSON parsing vulnerability
Issued: 8 June 2016
Credits: Dave McDaniel, Cisco Talos
Affects: iperf-3.1.2 and earlier,
iperf-3.0.11 and earlier
Corrected: iperf-3.1.3, iperf-3.0.12
Cross-references: TALOS-CAN-0164, CVE-2016-4303

I. Background

iperf3 is a utility for testing network performance using TCP, UDP, and SCTP, running over IPv4 and IPv6. 
It uses a client/server model, where a client and server communicate the parameters of a test, coordinate 
the start and end of the test, and exchange results. This message exchange takes place over a TCP control 
connection, and relies on a modified version of the open-source cjson library for rendering and parsing 
the various messages in JSON.

II. Problem Description

A bug exists in the way that the included version of the cjson library handles Unicode literals in 
JSON string constants. A malformed Unicode literal can cause a process parsing a block of JSON to overwrite 
a pre-allocated buffer in the heap. Note that this bug has already been fixed in recent versions of cjson.

III. Impact

A malicious process can connect to an iperf3 server and, by sending a malformed message on the control channel, 
corrupt the server process's heap area. This can lead to a crash (and a denial of service), or theoretically a 
remote code execution as the user running the iperf3 server. A malicious iperf3 server could potentially mount 
a similar attack on an iperf3 client.

iperf2, an older version of the iperf utility, uses a different model of interaction between client and server, 
and is not affected by this issue.

IV. Workaround

There is no workaround for this issue, however as best practice dictates, iperf3 should not be run with root 
privileges, to minimize possible impact.

V. Solution

Update iperf3 to a version containing the fix. On the 3.1 release train, versions 3.1.3 and later contain the fix. 
On the 3.0 release train, versions 3.0.12 and later contain the fix.

Because iperf3 incorporates a modified version of the cjson library, it is necessary to explicitly update iperf3 to 
fix this issue, separately from any other installation of cjson (if present).

VI. Correction details

The bug causing this vulnerability has been fixed by the following commits in the esnet/iperf3 Github repository:

master ed94082be27d971a5e1b08b666e2c217cf470a40
3.1-STABLE f01a9ca8f7e878e438a53687dabe30b7f7222912
3.0-STABLE 91f2fa59e8ed80dfbf400add0164ee0e508e412a,
7856eb935d511ddb5b5c7d431d1056c9daff0a2a

All released versions of iperf3 issued on or after the date of this advisory incorporate the fix.


Mitigation
==========

N/A 

Component installation information
==================================

See More information above above


TLP and URL
===========
                      
** WHITE information - Unlimited distribution allowed - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-4303    

Minor updates may be made without re-distribution to the sites

Credit
======

SVG was alerted to this vulnerability by Duncan Rand


References
==========

[R 1] http://stats.es.net/ServicesDirectory/

[R 2] http://www.talosintel.com/reports/TALOS-2016-0164/


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look.  


Timeline  
========
Yyyy-mm-dd  [EGI-SVG-2016-11234] 

2016-06-09 SVG alerted to this issue by Duncan Rand
2016-06-09 Acknowledgement from the EGI SVG to the reporter
2016-06-09 Updated packages available 
2016-06-10 EGI SVG Risk Assessment completed
2016-06-13 Advisory/Alert sent to sites
2016-06-13 Advisory placed on the SVG wiki



On behalf of the EGI SVG,