ESnet Software Security Advisory ESNET-SECADV-2024-0001 Topic: iperf3 RSA authentication Issued: 10 May 2024 Credits: Hubert Kario (RedHat) Affects: iperf-3.2 through iperf-3.16 (inclusive) Corrected: iperf-3.17 Cross-references: CVE-2024-26306 I. Background iperf3 is a utility for testing network performance using TCP, UDP, and SCTP, running over IPv4 and IPv6. It uses a client/server model, where a client and server communicate the parameters of a test, coordinate the start and end of the test, and exchange results. II. Problem Description iperf3 includes an option to require authentication before allowing a client to begin performance tests. The authentication scheme in iperf3 versions <= 3.16 (when used without implicit rejection support, first introduced in OpenSSL 3.2.0) is vulnerable to an RSA decryption side-channel timing attack. This may allow a remote attacker to decrypt a user's iperf3 password and run unauthorized network performance tests. The iperf series of tools perform active measurements to determine the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers. For each test it reports the measured throughput, loss, and other parameters. When configured to require authentication, the EVP_PKEY_decrypt() or RSA_private_decrypt() methods would be used in a non-constant time fashion. An attacker that is able to send a sufficiently large number of messages for decryption to a listening iperf3 server could recover the plaintext credential. This is described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. [1] III. Impact It might be possible for a malicious iperf3 client to decrypt the credential string used for authorization and use this to perform network performance tests without authorization. Note: Despite a similarity in names, iperf2 is unaffected by this issue. IV. Workaround There is no workaround for this issue. V. Solution This has been fixed in iperf 3.17 by using OAEP padding. However, a new option has been added (--use-pkcs1-padding) that will re-enable the vulnerable code for backwards compatibility. VI. Correction details The bug causing this vulnerability has been fixed by the following commit in the esnet/iperf Github repository: master 299b356df6939f71619bf45bf7a7d2222e17d840 All released versions of iperf3 issued on or after the date of this advisory incorporate the fix. We'd like to thank Hubert Kario (https://github.com/tomato42) for bringing this issue to our attention. Security concerns with iperf3 can be submitted privately by sending an email to the developers at . V. References [1] https://people.redhat.com/~hkario/marvin/ VI. Revision history 10 May 2024: Original version of security advisory.