Mercurial > hg > sv-dependency-builds
annotate src/capnproto-git-20161025/security-advisories/2015-03-05-0-c++-addl-cpu-amplification.md @ 133:1ac99bfc383d
Add Cap'n Proto source
| author | Chris Cannam <cannam@all-day-breakfast.com> |
|---|---|
| date | Tue, 25 Oct 2016 11:17:01 +0100 |
| parents | |
| children |
| rev | line source |
|---|---|
| cannam@133 | 1 Problem |
| cannam@133 | 2 ======= |
| cannam@133 | 3 |
| cannam@133 | 4 CPU usage amplification attack, similar to previous vulnerability |
| cannam@133 | 5 [2015-03-02-2][1]. |
| cannam@133 | 6 |
| cannam@133 | 7 Discovered by |
| cannam@133 | 8 ============= |
| cannam@133 | 9 |
| cannam@133 | 10 David Renshaw <david@sandstorm.io> |
| cannam@133 | 11 |
| cannam@133 | 12 Announced |
| cannam@133 | 13 ========= |
| cannam@133 | 14 |
| cannam@133 | 15 2015-03-05 |
| cannam@133 | 16 |
| cannam@133 | 17 CVE |
| cannam@133 | 18 === |
| cannam@133 | 19 |
| cannam@133 | 20 CVE-2015-2313 |
| cannam@133 | 21 |
| cannam@133 | 22 Impact |
| cannam@133 | 23 ====== |
| cannam@133 | 24 |
| cannam@133 | 25 - Remotely cause a peer to execute a tight `for` loop counting from 0 to |
| cannam@133 | 26 2^29, possibly repeatedly, by sending it a small message. This could enable |
| cannam@133 | 27 a DoS attack by consuming CPU resources. |
| cannam@133 | 28 |
| cannam@133 | 29 Fixed in |
| cannam@133 | 30 ======== |
| cannam@133 | 31 |
| cannam@133 | 32 - git commit [80149744bdafa3ad4eedc83f8ab675e27baee868][0] |
| cannam@133 | 33 - release 0.5.1.2: |
| cannam@133 | 34 - Unix: https://capnproto.org/capnproto-c++-0.5.1.2.tar.gz |
| cannam@133 | 35 - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.2.zip |
| cannam@133 | 36 - release 0.4.1.1: |
| cannam@133 | 37 - Unix: https://capnproto.org/capnproto-c++-0.4.1.2.tar.gz |
| cannam@133 | 38 - release 0.6 (future) |
| cannam@133 | 39 |
| cannam@133 | 40 [0]: https://github.com/sandstorm-io/capnproto/commit/80149744bdafa3ad4eedc83f8ab675e27baee868 |
| cannam@133 | 41 |
| cannam@133 | 42 Details |
| cannam@133 | 43 ======= |
| cannam@133 | 44 |
| cannam@133 | 45 Advisory [2015-03-02-2][1] described a bug allowing a remote attacker to |
| cannam@133 | 46 consume excessive CPU time or other resources using a specially-crafted message. |
| cannam@133 | 47 The present advisory is simply another case of the same bug which was initially |
| cannam@133 | 48 missed. |
| cannam@133 | 49 |
| cannam@133 | 50 The new case occurs only if the application invokes the `totalSize()` method |
| cannam@133 | 51 on an object reader. |
| cannam@133 | 52 |
| cannam@133 | 53 The new case is somewhat less severe, in that it only spins in a tight `for` |
| cannam@133 | 54 loop that doesn't call any application code. Only CPU time is possibly |
| cannam@133 | 55 consumed, not RAM or other resources. However, it is still possible to create |
| cannam@133 | 56 significant delays for the receiver with a specially-crafted message. |
| cannam@133 | 57 |
| cannam@133 | 58 [1]: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2015-03-02-2-all-cpu-amplification.md |
| cannam@133 | 59 |
| cannam@133 | 60 Preventative measures |
| cannam@133 | 61 ===================== |
| cannam@133 | 62 |
| cannam@133 | 63 Our fuzz test actually covered this case, but we didn't notice the problem |
| cannam@133 | 64 because the loop actually completes in less than a second. We've added a new |
| cannam@133 | 65 test case which is more demanding, and will make sure that when we do extended |
| cannam@133 | 66 testing with American Fuzzy Lop, we treat unexpectedly long run times as |
| cannam@133 | 67 failures. |