cannam@48: Problem cannam@48: ======= cannam@48: cannam@48: CPU usage amplification attack, similar to previous vulnerability cannam@48: [2015-03-02-2][1]. cannam@48: cannam@48: Discovered by cannam@48: ============= cannam@48: cannam@48: David Renshaw <david@sandstorm.io> cannam@48: cannam@48: Announced cannam@48: ========= cannam@48: cannam@48: 2015-03-05 cannam@48: cannam@48: CVE cannam@48: === cannam@48: cannam@48: CVE-2015-2313 cannam@48: cannam@48: Impact cannam@48: ====== cannam@48: cannam@48: - Remotely cause a peer to execute a tight `for` loop counting from 0 to cannam@48: 2^29, possibly repeatedly, by sending it a small message. This could enable cannam@48: a DoS attack by consuming CPU resources. cannam@48: cannam@48: Fixed in cannam@48: ======== cannam@48: cannam@48: - git commit [80149744bdafa3ad4eedc83f8ab675e27baee868][0] cannam@48: - release 0.5.1.2: cannam@48: - Unix: https://capnproto.org/capnproto-c++-0.5.1.2.tar.gz cannam@48: - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.2.zip cannam@48: - release 0.4.1.1: cannam@48: - Unix: https://capnproto.org/capnproto-c++-0.4.1.2.tar.gz cannam@48: - release 0.6 (future) cannam@48: cannam@48: [0]: https://github.com/sandstorm-io/capnproto/commit/80149744bdafa3ad4eedc83f8ab675e27baee868 cannam@48: cannam@48: Details cannam@48: ======= cannam@48: cannam@48: Advisory [2015-03-02-2][1] described a bug allowing a remote attacker to cannam@48: consume excessive CPU time or other resources using a specially-crafted message. cannam@48: The present advisory is simply another case of the same bug which was initially cannam@48: missed. cannam@48: cannam@48: The new case occurs only if the application invokes the `totalSize()` method cannam@48: on an object reader. cannam@48: cannam@48: The new case is somewhat less severe, in that it only spins in a tight `for` cannam@48: loop that doesn't call any application code. Only CPU time is possibly cannam@48: consumed, not RAM or other resources. However, it is still possible to create cannam@48: significant delays for the receiver with a specially-crafted message. cannam@48: cannam@48: [1]: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2015-03-02-2-all-cpu-amplification.md cannam@48: cannam@48: Preventative measures cannam@48: ===================== cannam@48: cannam@48: Our fuzz test actually covered this case, but we didn't notice the problem cannam@48: because the loop actually completes in less than a second. We've added a new cannam@48: test case which is more demanding, and will make sure that when we do extended cannam@48: testing with American Fuzzy Lop, we treat unexpectedly long run times as cannam@48: failures.