FastNetMon Community Edition BGP AS_PATH Integer Overflow Vulnerability Leading to Heap Buffer Overflow

A heap buffer overflow vulnerability has been identified in FastNetMon Community Edition versions through 1.2.9. The issue arises from an integer overflow in the BGP AS_PATH attribute encoder, specifically in the 'IPv4UnicastAnnounce::get_attributes()' function. The vulnerability occurs because the attribute length is calculated based on the number of ASNs in the AS_PATH, and when this number exceeds a certain threshold, it leads to silent truncation. The truncated length is then used for buffer sizing, creating a mismatch that allows for a heap buffer overflow exploitation.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, where attacker-controlled data overwrites adjacent memory in the heap, potentially leading to arbitrary code execution.

Reproduction

To reproduce this vulnerability, an AS_PATH containing more than 63 ASNs must be constructed. This can be done by injecting a long AS_PATH from a BGP peer or by calling the gRPC API's 'ExecuteBan' method with a parameter that includes a lengthy AS_PATH. Once the AS_PATH exceeds 63 ASNs, the 'IPv4UnicastAnnounce::get_attributes()' function will truncate the length, causing a buffer overflow when the AS_PATH is encoded and sent to a BGP peer.

Remediation

Users are advised to update to a version of FastNetMon Community Edition that addresses this vulnerability. As of now, no official patch has been released. In the meantime, the gRPC API can be bound to localhost to prevent external access, and BGP peers should be audited for AS_PATH length to avoid injecting long AS_PATHs into FastNetMon.