Vulnerability Spotlight: ESnet iPerf3 JSON parse_string UTF Code Execution Vulnerability
This vulnerability was discovered by Dave McDaniel, Senior Research Engineer.
iPerf is a network testing application that is typically deployed in a client/server configuration and is used to measure the available network bandwidth between the systems by creating TCP and/or UDP connections. For each connection, iPerf reports maximum bandwidth, loss, and other performance related metrics. It is commonly used to evaluate and quantify the impact of network optimizations and for obtaining baseline metrics related to network performance.
iPerf3, developed by ESnet and Lawrence Berkeley National Laboratory, is a complete redesign of the original iPerf application and uses a forked cJSON library. Cisco Talos recently discovered that the forked version of the cJSON library contains a vulnerability that can lead to Remote Code Execution (RCE) on systems running the iPerf3 server daemon. This vulnerability is related to the way in which the forked cJSON library parses UTF-8/16 strings. There are currently several public iPerf3 servers that are accessible from the internet that may be susceptible to remote exploitation using this vulnerability. While the authors of the underlying cJSON library have since released a patch that resolves this vulnerability, the version of cJSON shipped with iPerf3 3.1-1 is vulnerable. The updated version of the iPerf3 application can be obtained here.