Corosync Wrong Return Value Vulnerability Leading to Out-of-Bounds Read and Denial-of-Service

A vulnerability exists in Corosync's membership commit token sanity check, specifically in the default totemudp/totemudpu mode. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted UDP packet, causing an out-of-bounds read. This exploitation leads to a denial-of-service condition and may disclose limited memory contents. The issue arises because the check_memb_commit_token_sanity function incorrectly validates message lengths, allowing truncated messages to be processed and causing a heap-buffer-overflow read, as confirmed by AddressSanitizer.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing or disrupting the Corosync service. Additionally, the out-of-bounds read can lead to a heap-buffer-overflow, which may be exploitable, and could allow for the disclosure of sensitive memory contents.

Reproduction

The vulnerability can be reproduced by sending a crafted UDP packet to the Corosync port 5405, which is the default. The packet must be designed to exploit the incorrect return value in the check_memb_commit_token_sanity function, such as by using a message length that is shorter than the expected size of the memb_commit_token structure. This can be done using a simple program that sends UDP packets with the appropriate payload.

Remediation

To mitigate this vulnerability, restrict network access to the Corosync service on UDP port 5405 to trusted hosts or networks. If Corosync is not needed, consider disabling the service. After making these changes, a restart of the Corosync service or a system reboot may be required for the changes to take effect.