2040388 – (CVE-2021-43612) CVE-2021-43612 lldpd: out-of-bounds read when decoding SONMP packets

Bug 2040388 (CVE-2021-43612) - CVE-2021-43612 lldpd: out-of-bounds read when decoding SONMP packets

Summary: CVE-2021-43612 lldpd: out-of-bounds read when decoding SONMP packets

Keywords:
Status:	NEW
Alias:	CVE-2021-43612
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2040391 2040390 2041516 2041517
Blocks:	2040397
TreeView+	depends on / blocked

Reported:	2022-01-13 16:01 UTC by Marian Rehak
Modified:	2023-09-22 09:21 UTC (History)
CC List:	3 users (show)
Fixed In Version:	lldpd 1.0.13
Doc Type:	If docs needed, set a value
Doc Text:	An out-of-bounds read vulnerability is present in lldpd. An attacker on the same network as the vulnerable system may use this vulnerability to leak memory data from the application or crash it by sending shorter SONMP packets than what is expected.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2022-01-13 16:01:45 UTC

An out-of-bounds read vulnerability exists due to a boundary error when reading SONMP packets. A remote user can send specially crafted packets to the application, trigger a heap-based buffer overflow read and leak memory values from lldpd application or crash it.

Reference:

https://www.cybersecurity-help.cz/vdb/SB2021111808
https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7
https://lldpd.github.io/security.html

Comment 1 Marian Rehak 2022-01-13 16:03:47 UTC

Created lldpd tracking bugs for this issue:

Affects: epel-7 [bug 2040391]
Affects: fedora-all [bug 2040390]

Comment 2 Todd Cullum 2022-01-14 00:57:37 UTC

Upstream patch commit: https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7

Comment 3 Riccardo Schirone 2022-01-17 15:03:21 UTC

In sonmp.c:sonmp_decode() there is the following code, where some bytes outside of the heap-allocated buffer can be read:
```C
	PEEK_BYTES(&address, sizeof(struct in_addr));
	memcpy(chassis->c_id + 1, &address, sizeof(struct in_addr));
	if (asprintf(&chassis->c_name, "%s", inet_ntoa(address)) == -1) {
		log_warnx("sonmp", "unable to write chassis name for %s",
		    hardware->h_ifname);
		goto malformed;
	}
	PEEK_BYTES(seg, sizeof(seg));
	rchassis = PEEK_UINT8;
```
Where PEEK_* functions just read from the packet and adjust the `pos` pointer and the `length` value accordingly to the number of bytes that were read. The values `address`, `seg` and `rchassis` do not seem to be used in any dangerous way that could allow the wrongly read values to alter the execution of the program.

By looking at the code mentioned above and the commit message of the upstream patch, this is rather an out-of-bound read on the heap, which may be used to leak values from the memory of the program or, under special conditions, crash the program.

Thus the Impact of this flaw is set to Moderate and the CVSS is set to 7.3/CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. In particular, Attack Vector is set to Adjacent (AV:A) as lldpd involves link layer protocols and require an attacker to be adjacent to the victim system; Confidentiality is set to High (C:H) because the values read out-of-bounds could be used to construct other packets that an attacker may read; Availability set to High (A:H) as we could not exclude the out-of-bounds read would result in a crash of lldpd when reading invalid memory.

Note You need to log in before you can comment on or make changes to this bug.