cannam@62: Problem cannam@62: ======= cannam@62: cannam@62: CPU usage amplification attack, similar to previous vulnerability cannam@62: [2015-03-02-2][1]. cannam@62: cannam@62: Discovered by cannam@62: ============= cannam@62: cannam@62: David Renshaw <david@sandstorm.io> cannam@62: cannam@62: Announced cannam@62: ========= cannam@62: cannam@62: 2015-03-05 cannam@62: cannam@62: CVE cannam@62: === cannam@62: cannam@62: CVE-2015-2313 cannam@62: cannam@62: Impact cannam@62: ====== cannam@62: cannam@62: - Remotely cause a peer to execute a tight `for` loop counting from 0 to cannam@62: 2^29, possibly repeatedly, by sending it a small message. This could enable cannam@62: a DoS attack by consuming CPU resources. cannam@62: cannam@62: Fixed in cannam@62: ======== cannam@62: cannam@62: - git commit [80149744bdafa3ad4eedc83f8ab675e27baee868][0] cannam@62: - release 0.5.1.2: cannam@62: - Unix: https://capnproto.org/capnproto-c++-0.5.1.2.tar.gz cannam@62: - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.2.zip cannam@62: - release 0.4.1.1: cannam@62: - Unix: https://capnproto.org/capnproto-c++-0.4.1.2.tar.gz cannam@62: - release 0.6 (future) cannam@62: cannam@62: [0]: https://github.com/sandstorm-io/capnproto/commit/80149744bdafa3ad4eedc83f8ab675e27baee868 cannam@62: cannam@62: Details cannam@62: ======= cannam@62: cannam@62: Advisory [2015-03-02-2][1] described a bug allowing a remote attacker to cannam@62: consume excessive CPU time or other resources using a specially-crafted message. cannam@62: The present advisory is simply another case of the same bug which was initially cannam@62: missed. cannam@62: cannam@62: The new case occurs only if the application invokes the `totalSize()` method cannam@62: on an object reader. cannam@62: cannam@62: The new case is somewhat less severe, in that it only spins in a tight `for` cannam@62: loop that doesn't call any application code. Only CPU time is possibly cannam@62: consumed, not RAM or other resources. However, it is still possible to create cannam@62: significant delays for the receiver with a specially-crafted message. cannam@62: cannam@62: [1]: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2015-03-02-2-all-cpu-amplification.md cannam@62: cannam@62: Preventative measures cannam@62: ===================== cannam@62: cannam@62: Our fuzz test actually covered this case, but we didn't notice the problem cannam@62: because the loop actually completes in less than a second. We've added a new cannam@62: test case which is more demanding, and will make sure that when we do extended cannam@62: testing with American Fuzzy Lop, we treat unexpectedly long run times as cannam@62: failures.