You are here

ANNOUNCEMENT: Security Vulnerability in 3rd Party "iperfspeed" Software

13 posts / 0 new
Last post
K5DLQ
K5DLQ's picture
ANNOUNCEMENT: Security Vulnerability in 3rd Party "iperfspeed" Software
If you have installed the iperfspeed add-on (v0.5), you need to IMMEDIATELY update it to v0.5.1 that corrects a critical vulnerability which can allow an attacker to gain root access to your node.

The new package for iperfspeed can be found here:   https://aredn.s3.amazonaws.com/iperfspeed_0.5.1_all.ipk   (iperfspeed and this file are provided by K7FPV)

Thanks to KE0PSL for responsibly reporting this issue.


 
KB9OIV
This one liner worked for me

This one liner worked for me with an internet gateway and ssh shell:
 

cd /tmp; opkg remove iperfspeed; wget http://aredn.s3.amazonaws.com/iperfspeed_0.5.1_all.ipk; opkg install iperfspeed_0.5.1_all.ipk; rm -rf iperfspeed_0.5.1_all.ipk


Also, if you have the newer package installed, the bottom of the iperf web page should have "Contrib by KE0PSL." as well.
AC2OG
AC2OG's picture
ANNOUNCEMENT: Security Vulnerability in 3rd Party "iperfspeed" S

Hello,
if I have understood well, 2 packages have to be installed in the nodes: <iperf> and <iperfspeed>. 
For <iperfspeed> the <iperfspeed_0.5.1_all.ipk>, but which version of <iperf> have to be installed in a Bullet M5 HP? 
K5DLQ
K5DLQ's picture
iperfspeed is the only
iperfspeed is the only package that needs to be updated
AC2OG
AC2OG's picture
iperfspeed is the only

Please give me a link for the downloading of both packages.
thanks
 
AB7PA
Links in the docs
KB9OIV
Does anyone know where the
Does anyone know where the 'AREDN Alert' is coming from for the iperfspeed package alert?  I've updated the package quite a while ago, and I've verified that it was the latest version that was installed subject to the alert.

The alert remains in the huge yellow box.
AB7PA
Source of AREDN alert messages
I assume you see the yellow alert box on one of your nodes that is connected to the "worldwide tunnel server" ??? If so then here is where the message is coming from: http://downloads.arednmesh.org/messages/kb9oiv-1.txt
K5DLQ
K5DLQ's picture
i removed the alert for your
i removed the alert for your node.

 
K5DLQ
K5DLQ's picture
i removed the alert for your

i removed the alert for your node.

 

K5DLQ
K5DLQ's picture
i removed the alert for your

i removed the alert for your node.

 

KB9OIV
I guess the final issue, is

I guess the final issue, is that even though I have the 'patched' iperfspeed installed, I am still getting the big yellow box.

The hard way to make that yellow box go away would be to block that worldwide server tunnel node in the firewall?

KB9OIV
I think that someone made the
I think that someone made the detection, but did not schedule a 're-detection'?

Anyway, if anyone else needs a workaround, you can comment out the aredn_message.sh cron job, and delete the /tmp/aredn_message file 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer