FastNetMon Community Edition Buffer Overflow Vulnerability in ExaBGP Action Handler

A buffer overflow vulnerability has been identified in FastNetMon Community Edition versions through 1.2.9. The issue arises in the ExaBGP action handler, specifically within the 'exabgp_prefix_ban_manage' function. The vulnerability is caused by the use of 'sprintf()' to format a BGP command into a fixed-size stack buffer of 256 bytes. This buffer is overflowed by unbounded data from the 'exabgp_community' configuration value, which is read from the 'fastnetmon.conf' file without proper length validation. The overflow can be exploited to overwrite the saved return address on x86_64 systems, potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability causes a stack buffer overflow, allowing for overwriting of the saved return address and potential execution of arbitrary code.

Reproduction

The vulnerability can be reproduced by configuring FastNetMon to use ExaBGP as the BGP speaker and then supplying a long community list in the 'fastnetmon.conf' file. When FastNetMon processes a BGP announcement, the 'exabgp_prefix_ban_manage' function is invoked, triggering the buffer overflow by writing the excessive community data into the fixed-size buffer.

Remediation

FastNetMon users who do not use ExaBGP should disable the ExaBGP action. For those who do use it, the vulnerability can be addressed by modifying the 'exabgp_prefix_ban_manage' function to use a dynamic string approach that eliminates fixed-size buffers, and by implementing proper validation of the community list length before processing.