Corosync Integer Overflow Vulnerability Leading to Denial-of-Service

An integer overflow vulnerability has been identified in Corosync's join message validation, specifically in deployments using totemudp/totemudpu mode. This flaw allows remote, unauthenticated attackers to send crafted UDP packets that exploit the overflow, causing the service to crash and leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes Corosync to crash, disrupting service and causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending crafted UDP packets to a Corosync service running in totemudp/totemudpu mode. The integer overflow occurs when the 'proc_list_entries' and 'failed_list_entries' values, which are controlled by the attacker, are added together, wrapping around and bypassing validation checks. This allows Corosync to process malformed input that should have been rejected, leading to a service crash.

Remediation

It is recommended to restrict network access to Corosync cluster communication ports. Configure firewall rules to limit incoming UDP traffic on the default port 5405 to only trusted hosts within the cluster. A service restart may be required for firewall changes to take effect.