Bug 2040388 (CVE-2021-43612)
| Summary: | CVE-2021-43612 lldpd: out-of-bounds read when decoding SONMP packets | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aconole, david.sastre, james.hogarth |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | lldpd 1.0.13 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An out-of-bounds read vulnerability is present in lldpd. An attacker on the same network as the vulnerable system may use this vulnerability to leak memory data from the application or crash it by sending shorter SONMP packets than what is expected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2040390, 2040391, 2041516, 2041517 | ||
| Bug Blocks: | 2040397 | ||
|
Description
Marian Rehak
2022-01-13 16:01:45 UTC
Created lldpd tracking bugs for this issue: Affects: epel-7 [bug 2040391] Affects: fedora-all [bug 2040390] Upstream patch commit: https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7 In sonmp.c:sonmp_decode() there is the following code, where some bytes outside of the heap-allocated buffer can be read:
```C
PEEK_BYTES(&address, sizeof(struct in_addr));
memcpy(chassis->c_id + 1, &address, sizeof(struct in_addr));
if (asprintf(&chassis->c_name, "%s", inet_ntoa(address)) == -1) {
log_warnx("sonmp", "unable to write chassis name for %s",
hardware->h_ifname);
goto malformed;
}
PEEK_BYTES(seg, sizeof(seg));
rchassis = PEEK_UINT8;
```
Where PEEK_* functions just read from the packet and adjust the `pos` pointer and the `length` value accordingly to the number of bytes that were read. The values `address`, `seg` and `rchassis` do not seem to be used in any dangerous way that could allow the wrongly read values to alter the execution of the program.
By looking at the code mentioned above and the commit message of the upstream patch, this is rather an out-of-bound read on the heap, which may be used to leak values from the memory of the program or, under special conditions, crash the program.
Thus the Impact of this flaw is set to Moderate and the CVSS is set to 7.3/CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. In particular, Attack Vector is set to Adjacent (AV:A) as lldpd involves link layer protocols and require an attacker to be adjacent to the victim system; Confidentiality is set to High (C:H) because the values read out-of-bounds could be used to construct other packets that an attacker may read; Availability set to High (A:H) as we could not exclude the out-of-bounds read would result in a crash of lldpd when reading invalid memory.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:9158 https://access.redhat.com/errata/RHSA-2024:9158 |