FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior.
The decode_bgp_subnet_encoding_ipv4_raw() function in src/bgp_protocol.cpp reads the prefix_bit_length value directly from the BGP packet without validation that it does not exceed 32 (the maximum IPv4 prefix length). This value is passed to the how_much_bytes_we_need_for_storing_certain_subnet_mask() function, which calculates the number of bytes as ceil(prefix_bit_length / 8) — for a value of 255 it returns 32 bytes. The result is then used as the length argument in a memcpy() call, which copies data into a 4-byte stack variable prefix_ipv4, causing a stack buffer overflow of up to 28 bytes. Additionally, the unvalidated prefix_bit_length value is passed to the convert_cidr_to_binary_netmask_local_function_copy() function, where a bit shift (32 - cidr) for cidr > 32 triggers undefined behavior.
An attacker can conduct a remote attack without authentication and gain the ability to execute arbitrary code (RCE) in the context of the FastNetMon process, which in practice can mean complete takeover of the system.
Patches available from the vendor should be applied according to the references. Until the update is performed, it is recommended to restrict network access to BGP interfaces only to trusted peers through firewall rules and monitor BGP traffic for anomalous prefix lengths.
FastNetMon Community Edition in versions up to and including 1.2.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPavel Odintsov Fastnetmon
APPPavel-Odintsov≤ 1.2.9
Related vulnerabilities
FastNetMon: integer overflow w enkodowaniu BGP AS_PATH prowadzący do heap buffer overflow
Command injection w pluginie Juniper FastNetMon Community Edition
FastNetMon: off-by-one heap buffer overflow umożliwiający RCE
FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture bu...
FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6...