Bug 2222204 (CVE-2023-38403) - CVE-2023-38403 iperf3: memory allocation hazard and crash
Summary: CVE-2023-38403 iperf3: memory allocation hazard and crash
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-38403
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2222205 2222206 2223495 2223676 2223729 2224435 2224436 2224437 2224439 2224440 2224441 2224442 2224443 2224444 2224445 2224446 2224447 2224558
Blocks: 2222207
TreeView+ depends on / blocked
 
Reported: 2023-07-12 09:11 UTC by Mauro Matteo Cascella
Modified: 2023-08-28 14:01 UTC (History)
5 users (show)

Fixed In Version: iperf 3.14
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow flaw was found in the way iperf3 dynamically allocates memory buffers for JSON-formatted messages. A remote attacker could send a specially crafted sequence of bytes on the iperf3 control channel with a specified JSON message length of 0xffffffff to trigger an integer overflow leading the receiving process to abort due to heap corruption. This flaw allows an attacker to use a malicious client to cause a denial of service of an iperf3 server or potentially use a malicious server to cause connecting clients to crash.
Clone Of:
Environment:
Last Closed: 2023-08-08 21:00:31 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4326 0 None None None 2023-07-31 08:53:11 UTC
Red Hat Product Errata RHSA-2023:4414 0 None None None 2023-08-01 14:11:07 UTC
Red Hat Product Errata RHSA-2023:4415 0 None None None 2023-08-01 14:11:11 UTC
Red Hat Product Errata RHSA-2023:4416 0 None None None 2023-08-01 14:10:48 UTC
Red Hat Product Errata RHSA-2023:4431 0 None None None 2023-08-02 13:27:04 UTC
Red Hat Product Errata RHSA-2023:4432 0 None None None 2023-08-02 13:30:57 UTC
Red Hat Product Errata RHSA-2023:4570 0 None None None 2023-08-08 15:37:30 UTC
Red Hat Product Errata RHSA-2023:4571 0 None None None 2023-08-08 15:36:49 UTC

Description Mauro Matteo Cascella 2023-07-12 09:11:06 UTC 
iperf3 uses the length to determine the size of a dynamically allocated memory buffer in which to store the incoming message. If the length equals 0xffffffff, an integer overflow can be triggered in the receiving iperf3 process (typically the server), which can in turn cause heap corruption and an abort/crash. While this is unlikely to happen during normal iperf3 operation, a suitably crafted client program could send a sequence of bytes on the iperf3 control channel to cause an iperf3 server to crash.

Reference:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040830
https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc
https://github.com/esnet/iperf/issues/1542
https://github.com/esnet/iperf/pull/1543
https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9 (3.14)
Comment 2 TEJ RATHI 2023-07-18 04:54:04 UTC 
Created iperf3 tracking bugs for this issue:

Affects: fedora-all [bug 2223495]
Comment 9 errata-xmlrpc 2023-07-31 08:53:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4326 https://access.redhat.com/errata/RHSA-2023:4326
Comment 10 errata-xmlrpc 2023-08-01 14:10:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4416 https://access.redhat.com/errata/RHSA-2023:4416
Comment 11 errata-xmlrpc 2023-08-01 14:11:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4414 https://access.redhat.com/errata/RHSA-2023:4414
Comment 12 errata-xmlrpc 2023-08-01 14:11:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4415 https://access.redhat.com/errata/RHSA-2023:4415
Comment 13 errata-xmlrpc 2023-08-02 13:27:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4431 https://access.redhat.com/errata/RHSA-2023:4431
Comment 14 errata-xmlrpc 2023-08-02 13:30:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4432 https://access.redhat.com/errata/RHSA-2023:4432
Comment 15 errata-xmlrpc 2023-08-08 15:36:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4571 https://access.redhat.com/errata/RHSA-2023:4571
Comment 16 errata-xmlrpc 2023-08-08 15:37:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4570 https://access.redhat.com/errata/RHSA-2023:4570
Comment 17 Product Security DevOps Team 2023-08-08 21:00:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-38403
Note You need to log in before you can comment on or make changes to this bug.