iperf DoS via Insufficient Data from Malicious Client (CVE-2023-7250)
CVE-2023-7250 Published on March 18, 2024
Iperf3: possible denial of service
A flaw was found in iperf, a utility for testing network performance using TCP, UDP, and SCTP. A malicious or malfunctioning client can send less than the expected amount of data to the iperf server, which can cause the server to hang indefinitely waiting for the remainder or until the connection gets closed. This will prevent other connections to the server, leading to a denial of service.
Vulnerability Analysis
CVE-2023-7250 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
What is an Allowlist / Allow List Vulnerability?
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
CVE-2023-7250 has been classified to as an Allowlist / Allow List vulnerability or weakness.
Products Associated with CVE-2023-7250
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-7250 are published in these products:
Affected Versions
Red Hat Enterprise Linux 8:- Version 0:3.5-10.el8_10 and below * is unaffected.
- Version 0:3.9-13.el9 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.