You are here

Home » Forums » General discussion

ANNOUNCEMENT: Security Vulnerability in 3rd Party "iperfspeed" Software

13 posts / 0 new
Log in or register to post comments
Last post
Tue, 12/01/2020 - 22:32
#1
K5DLQ
K5DLQ's picture
ANNOUNCEMENT: Security Vulnerability in 3rd Party "iperfspeed" Software
If you have installed the iperfspeed add-on (v0.5), you need to IMMEDIATELY update it to v0.5.1 that corrects a critical vulnerability which can allow an attacker to gain root access to your node.

The new package for iperfspeed can be found here:   https://aredn.s3.amazonaws.com/iperfspeed_0.5.1_all.ipk   (iperfspeed and this file are provided by K7FPV)

Thanks to KE0PSL for responsibly reporting this issue.


 
Top
Wed, 12/02/2020 - 21:35
KB9OIV
This one liner worked for me

This one liner worked for me with an internet gateway and ssh shell:
 

cd /tmp; opkg remove iperfspeed; wget http://aredn.s3.amazonaws.com/iperfspeed_0.5.1_all.ipk; opkg install iperfspeed_0.5.1_all.ipk; rm -rf iperfspeed_0.5.1_all.ipk


Also, if you have the newer package installed, the bottom of the iperf web page should have "Contrib by KE0PSL." as well.
Top
Fri, 12/04/2020 - 11:29
AC2OG
AC2OG's picture
ANNOUNCEMENT: Security Vulnerability in 3rd Party "iperfspeed" S

Hello,
if I have understood well, 2 packages have to be installed in the nodes: <iperf> and <iperfspeed>. 
For <iperfspeed> the <iperfspeed_0.5.1_all.ipk>, but which version of <iperf> have to be installed in a Bullet M5 HP? 
Top
Fri, 12/04/2020 - 13:39
(Reply to #3)
K5DLQ
K5DLQ's picture
iperfspeed is the only
iperfspeed is the only package that needs to be updated
Top
Sat, 12/05/2020 - 14:52
AC2OG
AC2OG's picture
iperfspeed is the only

Please give me a link for the downloading of both packages.
thanks
 
Top
Sat, 12/05/2020 - 16:19
(Reply to #5)
AB7PA
Links in the docs
https://arednmesh.readthedocs.io/en/latest/arednHow-toGuides/iperf.html#...
Top
Fri, 01/29/2021 - 18:45
KB9OIV
Does anyone know where the
Does anyone know where the 'AREDN Alert' is coming from for the iperfspeed package alert?  I've updated the package quite a while ago, and I've verified that it was the latest version that was installed subject to the alert.

The alert remains in the huge yellow box.
Top
Fri, 01/29/2021 - 20:30
(Reply to #7)
AB7PA
Source of AREDN alert messages
I assume you see the yellow alert box on one of your nodes that is connected to the "worldwide tunnel server" ??? If so then here is where the message is coming from: http://downloads.arednmesh.org/messages/kb9oiv-1.txt
Top
Mon, 02/01/2021 - 17:27
(Reply to #8)
K5DLQ
K5DLQ's picture
i removed the alert for your
i removed the alert for your node.

 
Top
Mon, 02/01/2021 - 17:32
(Reply to #9)
K5DLQ
K5DLQ's picture
i removed the alert for your

i removed the alert for your node.

 

Top
Mon, 02/01/2021 - 17:36
(Reply to #10)
K5DLQ
K5DLQ's picture
i removed the alert for your

i removed the alert for your node.

 

Top
Sun, 01/31/2021 - 10:20
KB9OIV
I guess the final issue, is

I guess the final issue, is that even though I have the 'patched' iperfspeed installed, I am still getting the big yellow box.

The hard way to make that yellow box go away would be to block that worldwide server tunnel node in the firewall?

Top
Sun, 01/31/2021 - 11:07
KB9OIV
I think that someone made the
I think that someone made the detection, but did not schedule a 're-detection'?

Anyway, if anyone else needs a workaround, you can comment out the aredn_message.sh cron job, and delete the /tmp/aredn_message file 
Top

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer