ESnet iPerf tool vulnerable to remote code execution attacks
Researchers said the vulnerability centers around the mishandling of UTF8/16 strings within cjson.c.
Cisco Talos researchers spotted a vulnerability in ESnet iPerf3 that could allow remote code execution.
ESnet iPerf3 is a tool that allows users to measure the maximum achievable bandwidth on IP networks and the vulnerability is caused by a specially crafted JSON string that can lead to buffer overflow on the heap, according to a June 8 blog post.
“The vulnerability centers around the mishandling of UTF8/16 strings within cjson.c,” researchers wrote in the post.
While the authors of the underlying cJSON have since released a patch, the version of cJSON that was shipped with iPerf3 3.1-1 is still vulnerable and there are currently several iPerf3 servers accessible from the internet that can be exploited by the vulnerability, the post said.
Researchers recommended users upgrade to the latest version of the iPerf3 as soon as possible to resolve the vulnerability.