ESnet Software Security Advisory
ESNET-SECADV-2024-0002

Topic:			iperf3 server denial of service
Issued:	                13 December 2024
Credits:		Leonid Krolle Bi.Zone.
Affects:		All versions of iperf3 prior to iperf-3.18
Corrected:		iperf-3.18
Cross-references:       CVE-2024-53580

I.  Background

iperf3 is a utility for testing network performance using TCP, UDP,
and SCTP, running over IPv4 and IPv6. It uses a client/server model,
where a client and server communicate the parameters of a test,
coordinate the start and end of the test, and exchange results. 

II.  Problem Description

The iperf3 client transmits the parameters for a test to the iperf3
server, as a JSON object. Due to insufficient checking on the server,
the server could crash with a NULL pointer dereference if a numeric
value is passed as a parameter for which a string is expected.

III.  Impact

It might be possible for a malfunctioning or malicious iperf3 client
to crash an iperf3 server.

Note: Despite a similarity in names, iperf2 is unaffected by this
issue.

IV.  Workaround

There is no workaround for this issue.

V.  Solution

This has been fixed in iperf-3.18. Upgrade to iperf-3.18 or newer.

VI.  Correction details

The bug causing this vulnerability has been fixed by the following
commit in the esnet/iperf Github repository:

master		3f66f604df7f1038a49108c48612c2f4fe71331f

All released versions of iperf3 issued on or after the date of this
advisory incorporate this fix.

The iperf3 development team wishes to thank Leonid Krolle Bi.Zone. for
bringing this issue to our attention.

Security concerns with iperf3 can be submitted privately by sending an
email to the developers at <iperf@es.net>.

V. References

VI. Revision history

13 December 2024: Original version of security advisory.