FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class (src/dynamic_binary_buffer.hpp). Five methods (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) use an incorrect bounds check of the form 'if (offset + length > maximum_internal_storage_size + 1)' instead of the correct 'if (offset + length > maximum_internal_storage_size)'. This allows writing exactly one byte past the end of the heap-allocated buffer. The class is used pervasively in BGP message encoding/decoding, NetFlow template processing, and Flow Spec NLRI construction. An attacker who can send network traffic (NetFlow, sFlow, IPFIX, or BGP) to a FastNetMon instance can trigger this overflow, potentially achieving arbitrary code execution by corrupting heap metadata. Notably, the append_byte() method uses the correct bounds check, confirming the inconsistency.
Five methods of the dynamic_binary_buffer_t class (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) use incorrect boundary condition checking in the form of 'if (offset + length > maximum_internal_storage_size + 1)' instead of the correct 'if (offset + length > maximum_internal_storage_size)'. This makes it possible to write exactly one byte beyond the end of the heap-allocated buffer. This class is widely used during encoding and decoding of BGP messages, processing NetFlow templates, and building Flow Spec NLRI messages. An attacker can trigger overflow by sending specially crafted NetFlow, sFlow, IPFIX, or BGP packets to a vulnerable FastNetMon instance, which can lead to heap metadata corruption and consequently arbitrary code execution.
An unauthenticated attacker can remotely execute arbitrary code (RCE) on a server running FastNetMon by corrupting heap metadata. Loss of confidentiality, integrity, and availability of the system is also possible.
Apply patches available from the vendor according to the references. Until an update is applied, it is recommended to restrict network access to the FastNetMon instance (NetFlow, sFlow, IPFIX, BGP) only to trusted sources using firewall rules.
FastNetMon Community Edition versions up to and including 1.2.9 (product: Pavel-Odintsov FastNetMon)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPavel Odintsov Fastnetmon
APPPavel-Odintsov≤ 1.2.9
Related vulnerabilities
FastNetMon: integer overflow w enkodowaniu BGP AS_PATH prowadzący do heap buffer overflow
Stack buffer overflow w FastNetMon — RCE przez BGP NLRI
Command injection w pluginie Juniper FastNetMon Community Edition
FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture bu...
FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6...