Headline
CVE-2021-43612: lldpd » implementation of IEEE 802.1AB
In lldpd before 1.0.13, when decoding SONMP packets in the sonmp_decode function, it’s possible to trigger an out-of-bounds heap read via short SONMP packets.
Security
lldpd contains several security features to mitigate vulnerabilities (privilege separation, chrooted process, …). If you wish to report a security issue, either open an issue on GitHub or mail me directly.
Past vulnerabilities
CVE-2021-43612: heap overflow when parsing too short SONMP packets. This vulnerability affects the parser which is run in an unprivileged and chrooted process. It does not allow arbitrary code execution. This bug has been fixed in commit 73d42680 and in version 1.0.13. It has been discovered by Jeremy Galindo.
CVE-2020-27827: memory exhaustion attack through crafted LLDPU with duplicate TLVs. A remote device can send LLDPU with a duplicate port description, system name, or system description TLV and trigger a memory leak. The vulnerability does not allow arbitrary code execution. This bug is present since the initial release. It has been fixed in commits a8d3c90f (1.0.8), and 7d60bf30 (1.0.9).
CVE-2015-8011: buffer overflow when handling management address TLV for LLDP. When a remote device was advertising a too large management address while still respecting TLV boundaries, lldpd would crash due to a buffer overflow. This vulnerability affects the parser which is run in an unprivileged and chrooted process. It does not allow arbitrary code execution unless hardening has been specifically disabled. This bug has been introduced in version 0.6.0. It has been fixed in commit dd4f16e7 and in version 0.7.19.
CVE-2015-8012: crash on malformed management address. When a remote device was advertising a malformed management address, lldpd would crash with an assertion error. This vulnerability affects the parser which is run in an unprivileged and chrooted process. It does not allow arbitrary code execution. This bug has been introduced in version 0.6.0. It has been fixed in commit 793526f8 and in version 0.7.19.