CVE-2024-26306 – This vulnerability in iPerf3 allows attackers t... (How to Fix)

Q: What is the severity of CVE-2024-26306?

CVE-2024-26306 has a CVSS score of 5.9 (MEDIUM). This vulnerability in iPerf3 allows attackers to exploit a timing side channel in RSA decryption operations when using OpenSSL with RSA authentication. Attackers could potentially recover credential plaintext by sending numerous messages for decryption. This affects iPerf3 servers using RSA authentication with vulnerable OpenSSL versions.

📋 TL;DR

This vulnerability in iPerf3 allows attackers to exploit a timing side channel in RSA decryption operations when using OpenSSL with RSA authentication. Attackers could potentially recover credential plaintext by sending numerous messages for decryption. This affects iPerf3 servers using RSA authentication with vulnerable OpenSSL versions.

💻 Affected Systems

Products:

iPerf3

Versions: All versions before 3.17

Operating Systems: All platforms running iPerf3

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when configured as a server with RSA authentication using OpenSSL before 3.2.0.

📦 What is this software?

Bootstrap Os by Netapp

View all CVEs affecting Bootstrap Os →

Iperf3 by Es

View all CVEs affecting Iperf3 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers recover authentication credentials, potentially gaining unauthorized access to iPerf3 servers and the systems they run on.

🟠

Likely Case

Credential theft requiring significant attacker effort and specific conditions (RSA authentication enabled, many messages sent).

🟢

If Mitigated

Minimal impact if RSA authentication is disabled or systems are patched.

🌐 Internet-Facing: MEDIUM - Requires specific configuration (RSA auth) and significant attacker effort, but internet exposure increases attack surface.

🏢 Internal Only: LOW - Internal systems with controlled access reduce exposure, though lateral movement risk exists if credentials are compromised.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Exploitation requires sending large numbers of messages and timing analysis, making it complex but feasible with sufficient resources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.17

Vendor Advisory: https://downloads.es.net/pub/iperf/esnet-secadv-2024-0001.txt.asc

Restart Required: Yes

Instructions:

1. Download iPerf3 version 3.17 or later from GitHub releases. 2. Stop iPerf3 services. 3. Install the updated version. 4. Restart iPerf3 services.

🔧 Temporary Workarounds

Disable RSA Authentication

all

Configure iPerf3 server to use alternative authentication methods or disable authentication if not required.

Modify iPerf3 configuration to remove RSA authentication options

Update OpenSSL

linux

Upgrade OpenSSL to version 3.2.0 or later to mitigate the underlying timing side channel.

apt-get update && apt-get upgrade openssl
yum update openssl

🧯 If You Can't Patch

Disable RSA authentication on iPerf3 servers
Restrict network access to iPerf3 servers using firewalls or network segmentation

🔍 How to Verify

Check if Vulnerable:

Check iPerf3 version with 'iperf3 --version' and verify if RSA authentication is enabled in configuration.

Check Version:

iperf3 --version

Verify Fix Applied:

Confirm iPerf3 version is 3.17 or later with 'iperf3 --version' and ensure OpenSSL is 3.2.0+ with 'openssl version'.

📡 Detection & Monitoring

Log Indicators:

Unusual volume of authentication attempts
Multiple failed RSA decryption attempts

Network Indicators:

High volume of traffic to iPerf3 server ports (default 5201)
Patterns of repeated authentication requests

SIEM Query:

source="iperf3" AND (event_type="authentication" OR event_type="decryption") AND count > threshold

📊 Metadata

CVE ID: CVE-2024-26306

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-385

Published: May 14, 2024

Last Updated: November 3, 2025

🔗 References

https://downloads.es.net/pub/iperf/esnet-secadv-2024-0001.txt.asc Third Party Advisory
https://github.com/esnet/iperf/releases/tag/3.17 Release Notes
https://www.insyde.com/security-pledge/SA-2024005 Third Party Advisory
https://downloads.es.net/pub/iperf/esnet-secadv-2024-0001.txt.asc Third Party Advisory
https://github.com/esnet/iperf/releases/tag/3.17 Release Notes
https://lists.debian.org/debian-lts-announce/2025/01/msg00027.html
https://security.netapp.com/advisory/ntap-20250228-0007/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26306, you might also want to check these: