Thanks for this Bruce & to the iperf 3 team. A small correction - not sure I'd say iperf2 is an older version but rather another version based from the original iperf code (using those design patterns.) The latest version for iperf 2 is version 2.1.9 released on March 14, 2023. One can always compile the bleeding edge from source per the master branch. Those commits come in spurts but can be daily. Some new multicast code was committed yesterday as an example.
https://sourceforge.net/projects/iperf2/ Iperf 2 has new releases about once per year but the master branch is always current and contains the latest commits. We may release a 2.2.0 within the next few months per new features, e.g. around working-loads and dual CCAs (amongst others) and bug fixes, and after our standard testing cycle which takes up to one month. My hope is to release 2.2.0 by the end of 2023. I notice a lot of open source distributions are way behind in the iperf2 versions bundled. It may be helpful if engineers in positions to influence open source packagings become aware of iperf 2 and now newer versions are generally better both in features and bug fixes. Also the WiFi alliance (WFA) <https://www.wi-fi.org/> seems to be standardizing on iperf 2.1.9 for latency related verifications. Thanks, Bob On Thu, Sep 14, 2023 at 12:38 PM Bruce A. Mah <b...@es.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ESnet Software Security Advisory > ESNET-SECADV-2023-0002 > > Topic: iperf3 Server Denial of Service > Issued: 13 September 2023 > Credits: Jorge Sancho Larraz (Canonical) > Affects: iperf-3.14 and earlier > Corrected: iperf-3.15 > > I. Background > > iperf3 is a utility for testing network performance using TCP, UDP, > and SCTP, running over IPv4 and IPv6. It uses a client/server model, > where a client and server communicate the parameters of a test, > coordinate the start and end of the test, and exchange results. This > message exchange takes place over a TCP "control connection". > > II. Problem Description > > The iperf3 server and client will, at various times, send data over > the control connection that control the parameters, start and stop of > a test, and result exchange. Many of these data have some expected > length to them (whether fixed or variable). > > It is possible for a malicious or malfunctioning client to send less > than the expected amount of data to the server. If this happens, the > server will hang indefinitely waiting for the remainder (or until the > connection gets closed). Because iperf3 is deliberately designed to > service only one client connection at a time, this will prevent other > connections to the iperf3 server. > > III. Impact > > A malicious or misbehaving process can connect to an iperf3 server and > prevent other connections to the server indefinitely. This issue > mainly applies to an iperf3 server that is reachable from some > untrusted host or network, such as the public Internet. It might be > possible for a malicious iperf3 server to mount a similar attack on an > iperf3 client. > > iperf2, an older version of the iperf utility, uses a different model > of interaction between client and server, and is not affected by this > issue. > > IV. Workaround > > There is no workaround for this issue, however as best practice > dictates, iperf3 should not be run with root privileges, to minimize > possible impact. Note that iperf3 was not designed to be a > long-running server on the public Internet. > > V. Solution > > Update iperf3 to a version containing the fix (i.e. iperf-3.15 or > later). > > VI. Correction details > > The bug causing this vulnerability has been fixed by the following > commit in the esnet/iperf Github repository: > > master 5e3704dd850a5df2fb2b3eafd117963d017d07b4 > > All released versions of iperf3 issued on or after the date of this > advisory incorporate the fix. > > ESnet would like to thank Jorge Sancho Larraz (Canonical) for bringing > this issue to our attention. > > Security concerns with iperf3 can be submitted privately by sending an > email to the developers at <ip...@es.net>. > -----BEGIN PGP SIGNATURE----- > > iQEzBAEBCgAdFiEE+Fo4IENp9xo01E6DSYSRCoyq7ooFAmUDTk0ACgkQSYSRCoyq > 7opD6wgAurQ/02J1AQEedE8dR47h3/HdpU4BwA+ZrI/xsatauRAjfZy+33jWYmVd > nQFD2pDu/Xi86ha0xUsvj8g7Qx2tJNEvhQuYVkkCu6Z5SSKQo5UTobWqudHhA6z4 > EcBptDR4erSQ/IScTSpSe97Vsi8zC9Oc2t+DJxMRNW8otHkieg/kw8Yeh6ekhJWA > gcBZ/Fw8usI+G0vOyZD6PVqgRNdH5tCH7Pz3hqaWu/jhQK47fwvUIv/CG0MfKKEl > OOAGeIONq62QKOnVlHgRt6dD7gITMy9CDkb7mqBbLdZVuFRGsmu1zJba25TYQKFI > NLQqwFiCvQsLxc5Bs8TqJBrSyjyaRQ== > =wCGb > -----END PGP SIGNATURE----- > _______________________________________________ > Iperf-users mailing list > Iperf-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/iperf-users > -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Iperf-users mailing list Iperf-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/iperf-users
