Bug 1215662

Summary: VUL-0: iperf: server denial-of-service issues
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, carlos.lopez, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/379741/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-09-25 10:15:17 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

ESnet Software Security Advisory
ESNET-SECADV-2023-0002

Topic:          iperf3 Server Denial of Service
Issued:         13 September 2023
Revised:        15 September 2023
Credits:        Jorge Sancho Larraz (Canonical)
Affects:        iperf-3.14 and earlier
Corrected:      iperf-3.15

I.  Background

iperf3 is a utility for testing network performance using TCP, UDP,
and SCTP, running over IPv4 and IPv6.  It uses a client/server model,
where a client and server communicate the parameters of a test,
coordinate the start and end of the test, and exchange results.  This
message exchange takes place over a TCP "control connection".

II.  Problem Description

The iperf3 server and client will, at various times, send data over
the control connection that control the parameters, start and stop of
a test, and result exchange. Many of these data have some expected
length to them (whether fixed or variable).

It is possible for a malicious or malfunctioning client to send less
than the expected amount of data to the server. If this happens, the
server will hang indefinitely waiting for the remainder (or until the
connection gets closed). Because iperf3 is deliberately designed to
service only one client connection at a time, this will prevent other
connections to the iperf3 server.

III.  Impact

A malicious or misbehaving process can connect to an iperf3 server and
prevent other connections to the server indefinitely. This issue
mainly applies to an iperf3 server that is reachable from some
untrusted host or network, such as the public Internet. It might be
possible for a malicious iperf3 server to mount a similar attack on an
iperf3 client.

iperf2 uses a different model of interaction between client and
server, and is not affected by this issue.

IV.  Workaround

There is no workaround for this issue, however as best practice
dictates, iperf3 should not be run with root privileges, to minimize
possible impact. Note that iperf3 was not designed to be a
long-running server on the public Internet.

V.  Solution

Update iperf3 to a version containing the fix (i.e. iperf-3.15 or
later).

VI.  Correction details

The bug causing this vulnerability has been fixed by the following
commit in the esnet/iperf Github repository:

master      5e3704dd850a5df2fb2b3eafd117963d017d07b4

All released versions of iperf3 issued on or after the date of this
advisory incorporate the fix.

ESnet would like to thank Jorge Sancho Larraz (Canonical) for bringing
this issue to our attention.

Security concerns with iperf3 can be submitted privately by sending an
email to the developers at <iperf@es.net>.

V.  Revision history

13 September 2023:  Original version of security advisory.

15 September 2023:  Corrected inaccurate information about iperf2.

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE+Fo4IENp9xo01E6DSYSRCoyq7ooFAmUEvc8ACgkQSYSRCoyq
7oqu+Qf+MgZTo47gNDW98/1dWYMLBhAA9ptVh6BLknpxJ/S2HdeWKQNH68cSLG3b
VM7DkZSyCCmad77ySbr3w7/UoFbD1YJetDSdh3J73vdSQNClCUPG9ddSt45QuWsK
kvURAUWHA4lcR/ZsJruWTa9YNYV2qECVJd9zHmUJ9/o01IAoP5sfEQgJJaPX7JWZ
RyCu9rJVBq5yGlLL86338HIoMmNnD212CkDnpoIcEpdocwJ7dkCIZoOPh/KjYoWQ
tLGEgscW3JT9L1zwAjZuHy8vi+wNyXUr8/vLcns4K3FabYFzrKSq5ODs0qgNmpfS
PHOf94N6Qk97M1BA0A8qV9HLF2yS+w==
=FrPM
-----END PGP SIGNATURE-----

References:
https://github.com/esnet/iperf/releases/tag/3.15
https://downloads.es.net/pub/iperf/esnet-secadv-2023-0002.txt.asc
Comment 2 OBSbugzilla Bot 2023-09-26 08:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1215662) was mentioned in
https://build.opensuse.org/request/show/1113604 Factory / iperf
Comment 3 Dirk Mueller 2023-09-26 11:53:26 UTC 
the patch can not be backported in isolation as it depends on the time abstraction that was introduced in an interim version. so I simply submitted the version update to package hub.
Comment 5 OBSbugzilla Bot 2023-09-26 12:35:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1215662) was mentioned in
https://build.opensuse.org/request/show/1113658 Factory / iperf
Comment 6 Maintenance Automation 2023-09-28 16:30:04 UTC 
SUSE-SU-2023:3887-1: An update that has one security fix can now be installed.

Category: security (important)
Bug References: 1215662
Sources used:
openSUSE Leap 15.4 (src): iperf-3.15-150000.3.6.1
openSUSE Leap 15.5 (src): iperf-3.15-150000.3.6.1
SUSE Package Hub 15 15-SP4 (src): iperf-3.15-150000.3.6.1
SUSE Package Hub 15 15-SP5 (src): iperf-3.15-150000.3.6.1
SUSE Enterprise Storage 7.1 (src): iperf-3.15-150000.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Carlos López 2024-03-18 09:04:19 UTC 
*** Bug 1221555 has been marked as a duplicate of this bug. ***
Comment 8 Carlos López 2024-03-18 09:05:09 UTC 
This was assigned CVE-2023-7250