FastNetMon Community Edition Out-of-Bounds Read Vulnerability in BGP MP_REACH_NLRI IPv6 Decoder

A vulnerability allowing multiple out-of-bounds reads has been identified in FastNetMon Community Edition versions through 1.2.9. The issue resides in the BGP MP_REACH_NLRI IPv6 attribute decoder within the function decode_mp_reach_ipv6() in src/bgp_protocol.cpp. The vulnerability stems from the absence of proper sanity checks, allowing for unsafe memory reads. The function improperly casts raw pointers to structure types without verifying the availability of sufficient data, utilizes the attacker-controlled length_of_next_hop field to determine the size for memory copying, and calculates the prefix_length by dereferencing a pointer derived from multiple attacker-controlled offsets without bounds validation. This miscalculation is exploited by manipulating the length_of_next_hop, leading to arbitrary memory reads and potential exploitation of adjacent memory corruption.

Impact

Exploitation of this vulnerability allows for out-of-bounds reads, with the possibility of adjacent memory corruption. If the overflow affects the stack, it could corrupt stack values, including the return address. Over-read behavior can be used as a memory disclosure primitive, potentially leaking sensitive information.

Reproduction

To reproduce this vulnerability, send a crafted BGP MP_REACH_NLRI attribute with the length_of_next_hop field set to 255. This will trigger the out-of-bounds read by causing the decoder to read 255 bytes from the attribute, overwriting adjacent memory. The vulnerability can be exploited remotely via a BGP peer, using a BGP implementation like GoBGP that allows for such manipulation.

Remediation

As of now, no official fix has been released. However, users can disable IPv6 BGP if not needed, restrict BGP peer allowlists to trusted entities, cap inbound BGP attribute sizes at GoBGP, and build FastNetMon with stack protection flags to mitigate potential damage while awaiting a fix.