Re: [Iperf-users] iperf3 Security Advisory ESNET-SECADV-2023-0002 (Revised)

[Peter Siyabonga]

Thanks a lot, Bruce.

On Fri, Sep 15, 2023 at 10:32 PM Bruce A. Mah  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> ESnet Software Security Advisory
> ESNET-SECADV-2023-0002
>
> Topic:  iperf3 Server Denial of Service
> Issued: 13 September 2023
> Revised:15 September 2023
> Credits:Jorge Sancho Larraz (Canonical)
> Affects:iperf-3.14 and earlier
> Corrected:  iperf-3.15
>
> I.  Background
>
> iperf3 is a utility for testing network performance using TCP, UDP,
> and SCTP, running over IPv4 and IPv6.  It uses a client/server model,
> where a client and server communicate the parameters of a test,
> coordinate the start and end of the test, and exchange results.  This
> message exchange takes place over a TCP "control connection".
>
> II.  Problem Description
>
> The iperf3 server and client will, at various times, send data over
> the control connection that control the parameters, start and stop of
> a test, and result exchange. Many of these data have some expected
> length to them (whether fixed or variable).
>
> It is possible for a malicious or malfunctioning client to send less
> than the expected amount of data to the server. If this happens, the
> server will hang indefinitely waiting for the remainder (or until the
> connection gets closed). Because iperf3 is deliberately designed to
> service only one client connection at a time, this will prevent other
> connections to the iperf3 server.
>
> III.  Impact
>
> A malicious or misbehaving process can connect to an iperf3 server and
> prevent other connections to the server indefinitely. This issue
> mainly applies to an iperf3 server that is reachable from some
> untrusted host or network, such as the public Internet. It might be
> possible for a malicious iperf3 server to mount a similar attack on an
> iperf3 client.
>
> iperf2 uses a different model of interaction between client and
> server, and is not affected by this issue.
>
> IV.  Workaround
>
> There is no workaround for this issue, however as best practice
> dictates, iperf3 should not be run with root privileges, to minimize
> possible impact. Note that iperf3 was not designed to be a
> long-running server on the public Internet.
>
> V.  Solution
>
> Update iperf3 to a version containing the fix (i.e. iperf-3.15 or
> later).
>
> VI.  Correction details
>
> The bug causing this vulnerability has been fixed by the following
> commit in the esnet/iperf Github repository:
>
> master  5e3704dd850a5df2fb2b3eafd117963d017d07b4
>
> All released versions of iperf3 issued on or after the date of this
> advisory incorporate the fix.
>
> ESnet would like to thank Jorge Sancho Larraz (Canonical) for bringing
> this issue to our attention.
>
> Security concerns with iperf3 can be submitted privately by sending an
> email to the developers at .
>
> V.  Revision history
>
> 13 September 2023:  Original version of security advisory.
>
> 15 September 2023:  Corrected inaccurate information about iperf2.
>
> -BEGIN PGP SIGNATURE-
>
> iQEzBAEBCgAdFiEE+Fo4IENp9xo01E6DSYSRCoyq7ooFAmUEvc8ACgkQSYSRCoyq
> 7oqu+Qf+MgZTo47gNDW98/1dWYMLBhAA9ptVh6BLknpxJ/S2HdeWKQNH68cSLG3b
> VM7DkZSyCCmad77ySbr3w7/UoFbD1YJetDSdh3J73vdSQNClCUPG9ddSt45QuWsK
> kvURAUWHA4lcR/ZsJruWTa9YNYV2qECVJd9zHmUJ9/o01IAoP5sfEQgJJaPX7JWZ
> RyCu9rJVBq5yGlLL86338HIoMmNnD212CkDnpoIcEpdocwJ7dkCIZoOPh/KjYoWQ
> tLGEgscW3JT9L1zwAjZuHy8vi+wNyXUr8/vLcns4K3FabYFzrKSq5ODs0qgNmpfS
> PHOf94N6Qk97M1BA0A8qV9HLF2yS+w==
> =FrPM
> -END PGP SIGNATURE-
>
>
> ___
> Iperf-users mailing list
> Iperf-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/iperf-users
>
___
Iperf-users mailing list
Iperf-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/iperf-users

Re: [Iperf-users] Iperf 2 as older perception (was Re: iperf3 Security Advisory ESNET-SECADV-2023-0002)

[Bob McMahon via Iperf-users]

No worries Bruce. Thanks for the correction.  I'm older too so maybe being
called older isn't really a bad thing ;)

I do think many users will learn each tool's feature set based upon their
needs. Having two similar open source tools with some
overlapping capabilities, e.g. to measure throughput or capacity, is a good
thing for all. If one suspects the tool they can try the other one.

I do think some core properties which both tools support are:

   - capacity measurements with CWND & RTT sampling (iperf2 requires -e)
   - --fq-rate based source pacing
   - support for threads

Note: There may be a move towards TCP CCAs that support source pacing, as
network hosts evolve from as fast as possible (AFAP) towards congestion
mitigation, to help eliminate standing queues or bufferbloat. I've added
some --fq-rate options that might be applicable to the iperf 3 user base -
not sure.

The iperf 2 pacing options include the below as well as supporting the CCA
per client side only setting of --tcp-cca which get passed to the server
(CCA's like prague need it set on both ends for the L4S ECN support.)

*--tcp-cca*Set the congestion control algorithm to be used for TCP
connections. (same as --tcp-congestion)
*--fq-rate **n*[kmgKMG]Set a rate to be used with fair-queuing based
socket-level pacing, in bytes or bits per second. Only available on
platforms supporting the SO_MAX_PACING_RATE socket option. (Note: Here the
suffixes indicate bytes/sec or bits/sec per use of uppercase or lowercase,
respectively)*--fq-rate-step **n*[kmgKMG]Set a step of rate to be used with
fair-queuing based socket-level pacing, in bytes or bits per second. Step
occurs every fq-rate-step-interval (defaults to one second)
*--fq-rate-step-interval **n*Time in seconds before stepping the fq-rate



On Fri, Sep 15, 2023 at 1:35 PM Bruce A. Mah  wrote:

> I've corrected our advisory and sent out a new version.
>
> Once again, sorry for giving the wrong impression. I believe this comes
> from a copy-and-paste of some much earlier text that was written before you
> started actively maintaining iperf2 (that does not excuse the error, but
> that's probably why it happened).
>
> Bruce.
>
> I wrote:
>
> > Hi Bob--
> >
> > Apologies! The text "older version" wasn't right and didn't even
> contribute any value in the context where it was used. I'm not sure how
> that phrase got included, but that mistake is definitely mine.
> >
> > Thanks for the update on iperf2 activities. We've been working on adding
> multi-threading capabilities to iperf3, so that it can use multiple CPU
> cores for higher throughput testing. (Of course, iperf2 has had this
> ability for quite awhile.) We've done a few public betas over the summer,
> with generally useful and favorable results. The plan is to bring this into
> a mainline release "soon".
> >
> > Bruce.
> >
> > If memory serves me right, Bob McMahon wrote:
> >
> >> Thanks for this Bruce & to the iperf 3 team.
> >>
> >> A small correction - not sure I'd say iperf2 is an older version but
> rather
> >> another version based from the original iperf code (using those design
> >> patterns.) The latest version for iperf 2 is version 2.1.9 released on
> >> March 14, 2023. One can always compile the bleeding edge from source per
> >> the master branch. Those commits come in spurts but can be daily. Some
> new
> >> multicast code was committed yesterday as an example.
>
> [snip]
>

-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.


smime.p7s
Description: S/MIME Cryptographic Signature
___
Iperf-users mailing list
Iperf-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/iperf-users

Re: [Iperf-users] Iperf 2 as older perception (was Re: iperf3 Security Advisory ESNET-SECADV-2023-0002)

[Bruce A. Mah]

I've corrected our advisory and sent out a new version.

Once again, sorry for giving the wrong impression. I believe this comes from a 
copy-and-paste of some much earlier text that was written before you started 
actively maintaining iperf2 (that does not excuse the error, but that's 
probably why it happened).

Bruce.

I wrote:

> Hi Bob--
>
> Apologies! The text "older version" wasn't right and didn't even contribute 
> any value in the context where it was used. I'm not sure how that phrase got 
> included, but that mistake is definitely mine.
>
> Thanks for the update on iperf2 activities. We've been working on adding 
> multi-threading capabilities to iperf3, so that it can use multiple CPU cores 
> for higher throughput testing. (Of course, iperf2 has had this ability for 
> quite awhile.) We've done a few public betas over the summer, with generally 
> useful and favorable results. The plan is to bring this into a mainline 
> release "soon".
>
> Bruce.
>
> If memory serves me right, Bob McMahon wrote:
>
>> Thanks for this Bruce & to the iperf 3 team.
>>
>> A small correction - not sure I'd say iperf2 is an older version but rather
>> another version based from the original iperf code (using those design
>> patterns.) The latest version for iperf 2 is version 2.1.9 released on
>> March 14, 2023. One can always compile the bleeding edge from source per
>> the master branch. Those commits come in spurts but can be daily. Some new
>> multicast code was committed yesterday as an example.

[snip]


signature.asc
Description: OpenPGP digital signature
___
Iperf-users mailing list
Iperf-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/iperf-users

Re: [Iperf-users] iperf3, CVE-2023-38403

[Bruce A. Mah]

Apologies for the late response, but iperf-3.14 and later addresses that issue 
(iperf-3.15 is current as of this writing).

Bruce.

If memory serves me right, David Krale wrote:

> Data Classification: Internal
>
> Hello Iperf,
>
> Is there is a version of iperf3 that addresses the vulnerability 
> CVE-2023-38403 ?
>
> Thanks you !
>
> Dave Krale
> IT-Cloud Ops-Network Infrastructure Services
> 707.685.1677
>
> ~~
> This e-mail message from State Compensation Insurance Fund and all 
> attachments transmitted with it
> may be privileged or confidential and protected from disclosure. If you are 
> not the intended recipient,
> you are hereby notified that any dissemination, distribution, copying, or 
> taking any action based on it
> is strictly prohibited and may have legal consequences. If you have received 
> this e-mail in error,
> please notify the sender by reply e-mail and destroy the original message and 
> all copies.
> ~~

> ___
> Iperf-users mailing list
> Iperf-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/iperf-users

signature.asc
Description: OpenPGP digital signature
___
Iperf-users mailing list
Iperf-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/iperf-users

[Iperf-users] iperf3 Security Advisory ESNET-SECADV-2023-0002 (Revised)

[Bruce A. Mah]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

ESnet Software Security Advisory
ESNET-SECADV-2023-0002

Topic:  iperf3 Server Denial of Service
Issued: 13 September 2023
Revised:15 September 2023
Credits:Jorge Sancho Larraz (Canonical)
Affects:iperf-3.14 and earlier
Corrected:  iperf-3.15

I.  Background

iperf3 is a utility for testing network performance using TCP, UDP,
and SCTP, running over IPv4 and IPv6.  It uses a client/server model,
where a client and server communicate the parameters of a test,
coordinate the start and end of the test, and exchange results.  This
message exchange takes place over a TCP "control connection".

II.  Problem Description

The iperf3 server and client will, at various times, send data over
the control connection that control the parameters, start and stop of
a test, and result exchange. Many of these data have some expected
length to them (whether fixed or variable).

It is possible for a malicious or malfunctioning client to send less
than the expected amount of data to the server. If this happens, the
server will hang indefinitely waiting for the remainder (or until the
connection gets closed). Because iperf3 is deliberately designed to
service only one client connection at a time, this will prevent other
connections to the iperf3 server.

III.  Impact

A malicious or misbehaving process can connect to an iperf3 server and
prevent other connections to the server indefinitely. This issue
mainly applies to an iperf3 server that is reachable from some
untrusted host or network, such as the public Internet. It might be
possible for a malicious iperf3 server to mount a similar attack on an
iperf3 client.

iperf2 uses a different model of interaction between client and
server, and is not affected by this issue.

IV.  Workaround

There is no workaround for this issue, however as best practice
dictates, iperf3 should not be run with root privileges, to minimize
possible impact. Note that iperf3 was not designed to be a
long-running server on the public Internet.

V.  Solution

Update iperf3 to a version containing the fix (i.e. iperf-3.15 or
later).

VI.  Correction details

The bug causing this vulnerability has been fixed by the following
commit in the esnet/iperf Github repository:

master  5e3704dd850a5df2fb2b3eafd117963d017d07b4

All released versions of iperf3 issued on or after the date of this
advisory incorporate the fix.

ESnet would like to thank Jorge Sancho Larraz (Canonical) for bringing
this issue to our attention.

Security concerns with iperf3 can be submitted privately by sending an
email to the developers at .

V.  Revision history

13 September 2023:  Original version of security advisory.

15 September 2023:  Corrected inaccurate information about iperf2.

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE+Fo4IENp9xo01E6DSYSRCoyq7ooFAmUEvc8ACgkQSYSRCoyq
7oqu+Qf+MgZTo47gNDW98/1dWYMLBhAA9ptVh6BLknpxJ/S2HdeWKQNH68cSLG3b
VM7DkZSyCCmad77ySbr3w7/UoFbD1YJetDSdh3J73vdSQNClCUPG9ddSt45QuWsK
kvURAUWHA4lcR/ZsJruWTa9YNYV2qECVJd9zHmUJ9/o01IAoP5sfEQgJJaPX7JWZ
RyCu9rJVBq5yGlLL86338HIoMmNnD212CkDnpoIcEpdocwJ7dkCIZoOPh/KjYoWQ
tLGEgscW3JT9L1zwAjZuHy8vi+wNyXUr8/vLcns4K3FabYFzrKSq5ODs0qgNmpfS
PHOf94N6Qk97M1BA0A8qV9HLF2yS+w==
=FrPM
-END PGP SIGNATURE-


___
Iperf-users mailing list
Iperf-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/iperf-users

Re: [Iperf-users] Iperf 2 as older perception (was Re: iperf3 Security Advisory ESNET-SECADV-2023-0002)

[Bruce A. Mah]

Hi Bob--

Apologies! The text "older version" wasn't right and didn't even contribute any 
value in the context where it was used. I'm not sure how that phrase got 
included, but that mistake is definitely mine.

Thanks for the update on iperf2 activities. We've been working on adding 
multi-threading capabilities to iperf3, so that it can use multiple CPU cores 
for higher throughput testing. (Of course, iperf2 has had this ability for 
quite awhile.) We've done a few public betas over the summer, with generally 
useful and favorable results. The plan is to bring this into a mainline release 
"soon".

Bruce.

If memory serves me right, Bob McMahon wrote:

> Thanks for this Bruce & to the iperf 3 team.
>
> A small correction - not sure I'd say iperf2 is an older version but rather
> another version based from the original iperf code (using those design
> patterns.) The latest version for iperf 2 is version 2.1.9 released on
> March 14, 2023. One can always compile the bleeding edge from source per
> the master branch. Those commits come in spurts but can be daily. Some new
> multicast code was committed yesterday as an example.
>
> https://sourceforge.net/projects/iperf2/
>
> Iperf 2 has new releases about once per year but the master branch is
> always current and contains the latest commits. We may release a 2.2.0
> within the next few months per new features, e.g. around working-loads and
> dual CCAs (amongst others) and bug fixes, and after our standard testing
> cycle which takes up to one month. My hope is to release 2.2.0 by the end
> of 2023.
>
> I notice a lot of open source distributions are way behind in the iperf2
> versions bundled. It may be helpful if engineers in positions to influence
> open source packagings become aware of iperf 2 and now newer versions are
> generally better both in features and bug fixes. Also the WiFi alliance
> (WFA)  seems to be standardizing on iperf 2.1.9 for
> latency related verifications.
>
> Thanks,
> Bob
>
> On Thu, Sep 14, 2023 at 12:38 PM Bruce A. Mah  wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> ESnet Software Security Advisory
>> ESNET-SECADV-2023-0002
>>
>> Topic:  iperf3 Server Denial of Service
>> Issued: 13 September 2023
>> Credits:Jorge Sancho Larraz (Canonical)
>> Affects:iperf-3.14 and earlier
>> Corrected:  iperf-3.15
>>
>> I.  Background
>>
>> iperf3 is a utility for testing network performance using TCP, UDP,
>> and SCTP, running over IPv4 and IPv6.  It uses a client/server model,
>> where a client and server communicate the parameters of a test,
>> coordinate the start and end of the test, and exchange results.  This
>> message exchange takes place over a TCP "control connection".
>>
>> II.  Problem Description
>>
>> The iperf3 server and client will, at various times, send data over
>> the control connection that control the parameters, start and stop of
>> a test, and result exchange. Many of these data have some expected
>> length to them (whether fixed or variable).
>>
>> It is possible for a malicious or malfunctioning client to send less
>> than the expected amount of data to the server. If this happens, the
>> server will hang indefinitely waiting for the remainder (or until the
>> connection gets closed). Because iperf3 is deliberately designed to
>> service only one client connection at a time, this will prevent other
>> connections to the iperf3 server.
>>
>> III.  Impact
>>
>> A malicious or misbehaving process can connect to an iperf3 server and
>> prevent other connections to the server indefinitely. This issue
>> mainly applies to an iperf3 server that is reachable from some
>> untrusted host or network, such as the public Internet. It might be
>> possible for a malicious iperf3 server to mount a similar attack on an
>> iperf3 client.
>>
>> iperf2, an older version of the iperf utility, uses a different model
>> of interaction between client and server, and is not affected by this
>> issue.
>>
>> IV.  Workaround
>>
>> There is no workaround for this issue, however as best practice
>> dictates, iperf3 should not be run with root privileges, to minimize
>> possible impact. Note that iperf3 was not designed to be a
>> long-running server on the public Internet.
>>
>> V.  Solution
>>
>> Update iperf3 to a version containing the fix (i.e. iperf-3.15 or
>> later).
>>
>> VI.  Correction details
>>
>> The bug causing this vulnerability has been fixed by the following
>> commit in the esnet/iperf Github repository:
>>
>> master  5e3704dd850a5df2fb2b3eafd117963d017d07b4
>>
>> All released versions of iperf3 issued on or after the date of this
>> advisory incorporate the fix.
>>
>> ESnet would like to thank Jorge Sancho Larraz (Canonical) for bringing
>> this issue to our attention.
>>
>> Security concerns with iperf3 can be submitted privately by sending an
>> email to the developers at .
>> -BEGIN PGP