cannam@147: Problem cannam@147: ======= cannam@147: cannam@147: CPU usage amplification attack, similar to previous vulnerability cannam@147: [2015-03-02-2][1]. cannam@147: cannam@147: Discovered by cannam@147: ============= cannam@147: cannam@147: David Renshaw <david@sandstorm.io> cannam@147: cannam@147: Announced cannam@147: ========= cannam@147: cannam@147: 2015-03-05 cannam@147: cannam@147: CVE cannam@147: === cannam@147: cannam@147: CVE-2015-2313 cannam@147: cannam@147: Impact cannam@147: ====== cannam@147: cannam@147: - Remotely cause a peer to execute a tight `for` loop counting from 0 to cannam@147: 2^29, possibly repeatedly, by sending it a small message. This could enable cannam@147: a DoS attack by consuming CPU resources. cannam@147: cannam@147: Fixed in cannam@147: ======== cannam@147: cannam@147: - git commit [80149744bdafa3ad4eedc83f8ab675e27baee868][0] cannam@147: - release 0.5.1.2: cannam@147: - Unix: https://capnproto.org/capnproto-c++-0.5.1.2.tar.gz cannam@147: - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.2.zip cannam@147: - release 0.4.1.1: cannam@147: - Unix: https://capnproto.org/capnproto-c++-0.4.1.2.tar.gz cannam@147: - release 0.6 (future) cannam@147: cannam@147: [0]: https://github.com/sandstorm-io/capnproto/commit/80149744bdafa3ad4eedc83f8ab675e27baee868 cannam@147: cannam@147: Details cannam@147: ======= cannam@147: cannam@147: Advisory [2015-03-02-2][1] described a bug allowing a remote attacker to cannam@147: consume excessive CPU time or other resources using a specially-crafted message. cannam@147: The present advisory is simply another case of the same bug which was initially cannam@147: missed. cannam@147: cannam@147: The new case occurs only if the application invokes the `totalSize()` method cannam@147: on an object reader. cannam@147: cannam@147: The new case is somewhat less severe, in that it only spins in a tight `for` cannam@147: loop that doesn't call any application code. Only CPU time is possibly cannam@147: consumed, not RAM or other resources. However, it is still possible to create cannam@147: significant delays for the receiver with a specially-crafted message. cannam@147: cannam@147: [1]: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2015-03-02-2-all-cpu-amplification.md cannam@147: cannam@147: Preventative measures cannam@147: ===================== cannam@147: cannam@147: Our fuzz test actually covered this case, but we didn't notice the problem cannam@147: because the loop actually completes in less than a second. We've added a new cannam@147: test case which is more demanding, and will make sure that when we do extended cannam@147: testing with American Fuzzy Lop, we treat unexpectedly long run times as cannam@147: failures.