FastNetMon Community Edition Out-of-Bounds Read Vulnerability in IPv4 Packet Parsing

A vulnerability allowing out-of-bounds read has been identified in FastNetMon Community Edition versions through 1.2.9. The issue arises in the IPv4 packet parser, where the Internet Header Length (IHL) field is not properly validated before the parser advances the reading pointer. This oversight can lead to reading 40 bytes beyond the end of the validated packet, potentially causing information disclosure from adjacent process memory and type confusion in downstream protocol parsers. The vulnerability is accessible through any packet capture interface.

Impact

Exploitation of this vulnerability causes an out-of-bounds read that can lead to information disclosure from process memory, a denial-of-service condition, and type confusion between IPv4 and transport layer headers in downstream parsers.

Reproduction

The vulnerability can be reproduced by sending IPv4 packets with a crafted IHL value. Packets with an IHL of 15 will cause the parser to read 40 bytes past the end of the IP header, while an IHL of 0-4 will result in the parser misinterpreting IP header data as transport layer information, creating type confusion.

Remediation

Users are advised to update FastNetMon to a version later than 1.2.9 that includes the IHL validation fix. Until the patch is applied, FastNetMon can be run as a low-privilege user and should be configured to restrict NetFlow, sFlow, and IPFIX collectors to known router IPs only.