Bug 1896536 (CVE-2015-8011) - CVE-2015-8011 lldpd: buffer overflow in the lldp_decode function in daemon/protocols/lldp.c
Summary: CVE-2015-8011 lldpd: buffer overflow in the lldp_decode function in daemon/pr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8011
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1896940 1896941 1896944 1896946 1896947 1896948 1896949 1896950 1896951 1896954 1897477 1897478 1897479 1897480 1899303 1899304 1899305 1907535 1907536 1907537 1907538 1907539 1907540
Blocks: 1892460
TreeView+ depends on / blocked
 
Reported: 2020-11-10 20:07 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-06-02 14:29 UTC (History)
41 users (show)

Fixed In Version: lldpd 0.8.0
Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow was found in the lldp_decode function in daemon/protocols/lldp.c in lldpd. This flaw allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via vectors involving large management addresses and TLV boundaries. This threatens the system's confidentiality, integrity, and availability.
Clone Of:
Environment:
Last Closed: 2020-12-17 09:56:09 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5611 0 None None None 2020-12-17 09:00:33 UTC
Red Hat Product Errata RHSA-2020:5615 0 None None None 2020-12-21 12:06:24 UTC
Red Hat Product Errata RHSA-2021:0028 0 None None None 2021-01-06 11:23:39 UTC
Red Hat Product Errata RHSA-2021:0931 0 None None None 2021-03-18 13:08:07 UTC

Description Guilherme de Almeida Suckevicz 2020-11-10 20:07:24 UTC
Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c in lldpd before 0.8.0 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via vectors involving large management addresses and TLV boundaries.

References:
http://www.openwall.com/lists/oss-security/2015/10/16/2
http://www.openwall.com/lists/oss-security/2015/10/30/2

Upstream patch:
https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2

Comment 1 Todd Cullum 2020-11-11 00:12:25 UTC
Flaw summary:

The `addr_str_buffer` can be overflowed during a call to `memcpy(value, pos, bytes)`, where `bytes` is passed `addr_str_length` and `value` is passed `addr_str_buffer` if a remote device advertises a management address that is too large. This results in an out-of-bounds write which could lead to denial of service. While it could theoretically lead to code execution in other cases, in Red Hat Enterprise Linux the openvswitch package is built with __FORTIFY_SOURCE enabled which mitigates this[1].

1. https://access.redhat.com/blogs/766093/posts/3606481

Comment 12 Sam Fowler 2020-11-13 07:39:32 UTC
The openvswitch2.13 package was first shipped in OCP from version 4.3. OCP 4.2 and earlier did not ship an openvswitch package.

The rhosp-openvswitch package was only shipped in OCP 4.3, which is now out of support scope.

Comment 14 Anten Skrabec 2020-11-18 20:47:03 UTC
Created openvswitch tracking bugs for this issue:

Affects: fedora-all [bug 1899303]
Affects: openstack-rdo [bug 1899304]


Created rdo-openvswitch tracking bugs for this issue:

Affects: openstack-rdo [bug 1899305]

Comment 19 errata-xmlrpc 2020-12-17 09:00:59 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2020:5611 https://access.redhat.com/errata/RHSA-2020:5611

Comment 20 Product Security DevOps Team 2020-12-17 09:56:09 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-8011

Comment 21 errata-xmlrpc 2020-12-21 12:06:18 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:5615 https://access.redhat.com/errata/RHSA-2020:5615

Comment 22 errata-xmlrpc 2021-01-06 11:23:36 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
  Red Hat Virtualization Engine 4.3

Via RHSA-2021:0028 https://access.redhat.com/errata/RHSA-2021:0028

Comment 23 Anten Skrabec 2021-02-08 22:08:52 UTC
Mitigation:

When the lldpd source is compiled with source fortification enabled, the flaw becomes unexploitable and will just cause a crash.

Comment 24 Anten Skrabec 2021-02-09 22:10:16 UTC
Statement:

The lldpd package as shipped with Red Hat Enterprise Linux 8 is not affected by this flaw because it has already received the patch. The flaw affects versions before 0.8.0 and the shipped version is 1.0.1+. In addition, Red Hat Virtualization 4.3 manager appliance is out of support scope and therefore no fix for it will be delivered.

Comment 25 errata-xmlrpc 2021-03-18 13:07:59 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2021:0931 https://access.redhat.com/errata/RHSA-2021:0931

Comment 26 errata-xmlrpc 2021-03-25 12:16:21 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:0988 https://access.redhat.com/errata/RHSA-2021:0988

Comment 27 errata-xmlrpc 2021-05-20 19:30:07 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 7

Via RHSA-2021:2077 https://access.redhat.com/errata/RHSA-2021:2077

Comment 28 errata-xmlrpc 2021-06-02 14:29:25 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2021:2205 https://access.redhat.com/errata/RHSA-2021:2205


Note You need to log in before you can comment on or make changes to this bug.