CVE-2021-43612: Understanding the Heap Out-of-Bounds Read Vulnerability in lldpd before 1..13 when Decoding SONMP Packets

A recent Common Vulnerabilities and Exposures (CVE) has been discovered in lldpd before version 1..13, specifically CVE-2021-43612. This vulnerability enables a heap out-of-bounds read when decoding Switched Network Management Protocol (SONMP) packets in the sonmp_decode() function. This blog post will dive deep into the issue, provide code snippets highlighting the vulnerability, and discuss how attackers could exploit it. We'll also link to original references for further investigation.

Vulnerability Details

Before diving into the specifics of the vulnerability, let's give some background on lldpd and SONMP. lldpd is an open-source implementation of the Link Layer Discovery Protocol (LLDP), which provides a standardized way for network devices to advertise their information to other devices. SONMP, on the other hand, is an older protocol developed by Nortel for similar functionality.

The discovered vulnerability is found within the sonmp_decode() function of lldpd. An attacker can exploit this vulnerability by sending a short SONMP packet, which results in an out-of-bounds heap read. This can potentially lead to information disclosure or crash, affecting the stability and security of the target device.

Code Snippet

To better understand the vulnerability, let's take a look at the code snippet from lldpd's implementation of the sonmp_decode() function (adapted for readability):

int
sonmp_decode(struct lldpd *cfg, char *frame, int s, struct lldpd_hardware *hw) {
  ...
  while (ptr < end) {
    struct sonmp_vlan *vlan;
    char *descr;
    ...
    vlan = (struct sonmp_vlan *)ptr;    // (1) Assign ptr to vlan pointer
    ptr += sizeof(struct sonmp_vlan);
    if (ptr >= end) return -1;  // (2) Check if ptr is still within bounds
    ...
    descr = ptr;  // (3) Assign ptr to descr pointer
    ptr += len; 
    if (ptr >= end) return -1;  // (4) Check if ptr is still within bounds
    ...
  }
  ...
}

Let's break down the components related to the vulnerability

1. We assign the ptr (pointer) to the vlan pointer. At this point, ptr could point anywhere within the frame buffer, and we have no guarantee that it points to a valid sonmp_vlan struct.
2. We check if the ptr has skipped past the end of the buffer. If it has, we return an error. However, since we only checked after consuming the memory, a short packet has already accessed out-of-bounds memory.

We assign the ptr to the descr pointer.

4. Again, we check if the ptr has skipped past the end of the buffer. This is another opportunity for an out-of-bounds read if the packet is short.

Exploit Details

An attacker can exploit this vulnerability by crafting a short SONMP packet and sending it to the target device running lldpd. The short packet will cause an out-of-bounds read during the sonmp_decode() process, potentially leading to information disclosure or crash.

Key References

- Original Advisory
- lldpd GitHub Repository
- CVE-2021-43612 Details

Conclusion

The CVE-2021-43612 vulnerability in lldpd before 1..13 represents a serious threat to the stability and security of affected network devices. Understanding the specifics of the vulnerability is key for developers and administrators to take appropriate mitigation measures. We strongly encourage users to update their lldpd installations to version 1..13 or later to address this issue.

Timeline

Published on: 04/15/2023 22:15:00 UTC
Last modified on: 04/26/2023 14:31:00 UTC