cannam@133: Problem cannam@133: ======= cannam@133: cannam@133: CPU usage amplification attack, similar to previous vulnerability cannam@133: [2015-03-02-2][1]. cannam@133: cannam@133: Discovered by cannam@133: ============= cannam@133: cannam@133: David Renshaw <david@sandstorm.io> cannam@133: cannam@133: Announced cannam@133: ========= cannam@133: cannam@133: 2015-03-05 cannam@133: cannam@133: CVE cannam@133: === cannam@133: cannam@133: CVE-2015-2313 cannam@133: cannam@133: Impact cannam@133: ====== cannam@133: cannam@133: - Remotely cause a peer to execute a tight `for` loop counting from 0 to cannam@133: 2^29, possibly repeatedly, by sending it a small message. This could enable cannam@133: a DoS attack by consuming CPU resources. cannam@133: cannam@133: Fixed in cannam@133: ======== cannam@133: cannam@133: - git commit [80149744bdafa3ad4eedc83f8ab675e27baee868][0] cannam@133: - release 0.5.1.2: cannam@133: - Unix: https://capnproto.org/capnproto-c++-0.5.1.2.tar.gz cannam@133: - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.2.zip cannam@133: - release 0.4.1.1: cannam@133: - Unix: https://capnproto.org/capnproto-c++-0.4.1.2.tar.gz cannam@133: - release 0.6 (future) cannam@133: cannam@133: [0]: https://github.com/sandstorm-io/capnproto/commit/80149744bdafa3ad4eedc83f8ab675e27baee868 cannam@133: cannam@133: Details cannam@133: ======= cannam@133: cannam@133: Advisory [2015-03-02-2][1] described a bug allowing a remote attacker to cannam@133: consume excessive CPU time or other resources using a specially-crafted message. cannam@133: The present advisory is simply another case of the same bug which was initially cannam@133: missed. cannam@133: cannam@133: The new case occurs only if the application invokes the `totalSize()` method cannam@133: on an object reader. cannam@133: cannam@133: The new case is somewhat less severe, in that it only spins in a tight `for` cannam@133: loop that doesn't call any application code. Only CPU time is possibly cannam@133: consumed, not RAM or other resources. However, it is still possible to create cannam@133: significant delays for the receiver with a specially-crafted message. cannam@133: cannam@133: [1]: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2015-03-02-2-all-cpu-amplification.md cannam@133: cannam@133: Preventative measures cannam@133: ===================== cannam@133: cannam@133: Our fuzz test actually covered this case, but we didn't notice the problem cannam@133: because the loop actually completes in less than a second. We've added a new cannam@133: test case which is more demanding, and will make sure that when we do extended cannam@133: testing with American Fuzzy Lop, we treat unexpectedly long run times as cannam@133: failures.