FastNetMon Community Edition Out-of-Bounds Read Vulnerability in NetFlow v9 Options Template Parser

A vulnerability allowing out-of-bounds read has been identified in FastNetMon Community Edition versions through 1.2.9. The issue arises in the NetFlow v9 options template parser, specifically within the 'process_netflow_v9_options_template' function of the NetFlow plugin collector. The vulnerability is caused by the parser's scope processing loop, which iterates based on an attacker-controlled length value without proper bounds checking. This flaw allows reads to extend beyond the intended buffer, potentially leading to information disclosure or a crash. The same issue occurs in the options field loop, with unvalidated length values causing misaligned reads. Exploitation can be triggered by sending crafted NetFlow v9 options templates to the collector's default UDP port.

Impact

Exploitation of this vulnerability causes out-of-bounds reads that can lead to information disclosure, allowing an attacker to map heap memory two bytes at a time. This could disrupt the application's normal operation, especially in DDoS detection scenarios, by introducing type confusion in how exported data is interpreted.

Reproduction

The vulnerability can be reproduced by sending a crafted NetFlow v9 options template flowset to a FastNetMon collector that is listening on the default UDP port 2055. The crafted template must include an inflated 'option_scope_length' or 'option_length' to drive the parser's inner loops past the end of the UDP packet buffer.

Remediation

Until a fix is released, it is recommended to allowlist the NetFlow port at the firewall, bind the collector to a management interface instead of '0.0.0.0', run the daemon under 'systemd-restart' with 'Restart=on-failure', and drop NetFlow v9 entirely if it is not needed.