-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ESnet Software Security Advisory ESNET-SECADV-2016-0001 Topic: iperf3 JSON parsing vulnerability Issued: 8 June 2016 Credits: Dave McDaniel, Cisco Talos Affects: iperf-3.1.2 and earlier, iperf-3.0.11 and earlier Corrected: iperf-3.1.3, iperf-3.0.12 Cross-references: TALOS-CAN-0164, CVE-2016-4303 I. Background iperf3 is a utility for testing network performance using TCP, UDP, and SCTP, running over IPv4 and IPv6. It uses a client/server model, where a client and server communicate the parameters of a test, coordinate the start and end of the test, and exchange results. This message exchange takes place over a TCP control connection, and relies on a modified version of the open-source cjson library for rendering and parsing the various messages in JSON. II. Problem Description A bug exists in the way that the included version of the cjson library handles Unicode literals in JSON string constants. A malformed Unicode literal can cause a process parsing a block of JSON to overwrite a pre-allocated buffer in the heap. Note that this bug has already been fixed in recent versions of cjson. III. Impact A malicious process can connect to an iperf3 server and, by sending a malformed message on the control channel, corrupt the server process's heap area. This can lead to a crash (and a denial of service), or theoretically a remote code execution as the user running the iperf3 server. A malicious iperf3 server could potentially mount a similar attack on an iperf3 client. iperf2, an older version of the iperf utility, uses a different model of interaction between client and server, and is not affected by this issue. IV. Workaround There is no workaround for this issue, however as best practice dictates, iperf3 should not be run with root privileges, to minimize possible impact. V. Solution Update iperf3 to a version containing the fix. On the 3.1 release train, versions 3.1.3 and later contain the fix. On the 3.0 release train, versions 3.0.12 and later contain the fix. Because iperf3 incorporates a modified version of the cjson library, it is necessary to explicitly update iperf3 to fix this issue, separately from any other installation of cjson (if present). VI. Correction details The bug causing this vulnerability has been fixed by the following commits in the esnet/iperf3 Github repository: master ed94082be27d971a5e1b08b666e2c217cf470a40 3.1-STABLE f01a9ca8f7e878e438a53687dabe30b7f7222912 3.0-STABLE 91f2fa59e8ed80dfbf400add0164ee0e508e412a, 7856eb935d511ddb5b5c7d431d1056c9daff0a2a All released versions of iperf3 issued on or after the date of this advisory incorporate the fix. -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJXVz9kAAoJEEmEkQqMqu6KCkQH+waaTGN8XO8STaHB14H53xAc n5jfRmgMH832Wekqe2Pxhb5Z1psJJv32oUsHg2V+6XyxcbpOhs/VQ5LtGumWi+mV P1UkczzvDjz+NSlFXaOVlAPV/UhuUfEYBVTd3WvGz669aDfE7ztL6+0sbDiNkPYT LQ38Wl/opuyaC8YC5S82xz6atYx+3uS0PfYDot1yu0C22v/V0iZ8+rV2wtiLnyth 5paT8OXlkzkhAFycjewXnzGqtXaL9rlcHqJp7713fnFsRNhDQW66Hb8viGqtnHPJ PV+M7f+QnX1lsLrNtWhi4PGIlTayTjUqv/Cu9zc5fxNsZytlFVI6lytkRsqOlbY= =SRVl -----END PGP SIGNATURE-----