Dire Wolf Reachable Assertion Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Dire Wolf versions through 1.8, prior to commit 3658a87. The issue arises in the APRS MIC-E decoder function aprs_mic_e(), located in src/decode_aprs.c. When the application processes a specially crafted AX.25 frame containing a MIC-E message with an empty or truncated comment field, it triggers an unhandled assertion that expects a non-empty comment. This assertion failure leads to an immediate process termination, allowing a remote, unauthenticated attacker to cause a denial-of-service by sending malformed APRS traffic.

Impact

Exploitation of this vulnerability causes a process crash due to stack memory corruption. Additionally, the memory corruption could be leveraged for control-flow manipulation or destabilization of the application, depending on the compiler, mitigations, and context of the function calls.

Reproduction

The vulnerability can be reproduced by sending a crafted AX.25 frame that decodes to a MIC-E message with an empty comment. This can be done using a tool like netcat to send the malformed packet to the KISS TCP port, which is typically port 7002.

Remediation

Users can upgrade to Dire Wolf versions including commit 694c95485b21c1c22bc4682703771dec4d7a374b or later. If an immediate upgrade is not possible, the patch can be backported by applying the boundary check correction in the APRS MIC-E decoder function and then rebuilding the application. As a temporary measure, access to the KISS TCP port can be restricted to trusted clients or the KISS TCP functionality can be disabled if not needed.