Bug 2040388 (CVE-2021-43612)

Summary: CVE-2021-43612 lldpd: out-of-bounds read when decoding SONMP packets
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aconole, david.sastre, james.hogarth
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: lldpd 1.0.13 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read vulnerability is present in lldpd. An attacker on the same network as the vulnerable system may use this vulnerability to leak memory data from the application or crash it by sending shorter SONMP packets than what is expected.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2040390, 2040391, 2041516, 2041517    
Bug Blocks: 2040397    

Description Marian Rehak 2022-01-13 16:01:45 UTC
An out-of-bounds read vulnerability exists due to a boundary error when reading SONMP packets. A remote user can send specially crafted packets to the application, trigger a heap-based buffer overflow read and leak memory values from lldpd application or crash it.



Comment 1 Marian Rehak 2022-01-13 16:03:47 UTC
Created lldpd tracking bugs for this issue:

Affects: epel-7 [bug 2040391]
Affects: fedora-all [bug 2040390]

Comment 2 Todd Cullum 2022-01-14 00:57:37 UTC
Upstream patch commit: https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7

Comment 3 Riccardo Schirone 2022-01-17 15:03:21 UTC
In sonmp.c:sonmp_decode() there is the following code, where some bytes outside of the heap-allocated buffer can be read:
	PEEK_BYTES(&address, sizeof(struct in_addr));
	memcpy(chassis->c_id + 1, &address, sizeof(struct in_addr));
	if (asprintf(&chassis->c_name, "%s", inet_ntoa(address)) == -1) {
		log_warnx("sonmp", "unable to write chassis name for %s",
		goto malformed;
	PEEK_BYTES(seg, sizeof(seg));
	rchassis = PEEK_UINT8;
Where PEEK_* functions just read from the packet and adjust the `pos` pointer and the `length` value accordingly to the number of bytes that were read. The values `address`, `seg` and `rchassis` do not seem to be used in any dangerous way that could allow the wrongly read values to alter the execution of the program.

By looking at the code mentioned above and the commit message of the upstream patch, this is rather an out-of-bound read on the heap, which may be used to leak values from the memory of the program or, under special conditions, crash the program.

Thus the Impact of this flaw is set to Moderate and the CVSS is set to 7.3/CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. In particular, Attack Vector is set to Adjacent (AV:A) as lldpd involves link layer protocols and require an attacker to be adjacent to the victim system; Confidentiality is set to High (C:H) because the values read out-of-bounds could be used to construct other packets that an attacker may read; Availability set to High (A:H) as we could not exclude the out-of-bounds read would result in a crash of lldpd when reading invalid memory.