[ovs-discuss] [ADVISORY] CVE-2020-27827: lldp: Externally triggered memory leak.

Aaron Conole aconole at redhat.com
Wed Jan 13 16:19:15 UTC 2021 

Description
===========

Multiple versions of Open vSwitch are vulnerable to denial of service
attacks in which crafted LLDP packets could cause memory to be lost
when allocating data to handle specific optional TLVs.  Triggering the
vulnerability requires LLDP processing to be enabled for a specific
port.  Open vSwitch versions before 2.5.x are not vulnerable.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
previously assigned the identifier CVE-2020-27827 to this issue for
the `lldpd` project, and the Open vSwitch project.


Mitigation
==========

For any version of Open vSwitch, preventing LLDP packets from
reaching Open vSwitch mitigates the vulnerability.  We do not recommend
attempting to mitigate the vulnerability this way because of the
following difficulties:

    - Open vSwitch obtains packets before the iptables host firewall,
      so ebtables on the Open vSwitch host cannot ordinarily block the
      vulnerability.

    - If Open vSwitch is configured to receive and transmit LLDP
      messages, the required functionality will need to be disabled
      potentially disrupting the network.

We have found that Open vSwitch is subject to a denial of service
exploit when LLDP processing is enabled on an interface.  By default,
interfaces are not configured to process LLDP messages.


Recommendation
==============

We recommend that users of Open vSwitch apply the included patch, or
upgrade to a known patched version of Open vSwitch.  These include:

* 2.14.1
* 2.13.2
* 2.12.2
* 2.11.5
* 2.10.6
* 2.9.8
* 2.8.10
* 2.7.12
* 2.6.9


Acknowledgments
===============

The Open vSwitch team wishes to thank the reporter:

  Jonas Rudloff <jonas.t.rudloff at gmail.com>

Fix:

The patch to resolve this issue is attached.

Reported-by: Jonas Rudloff <jonas.t.rudloff at gmail.com>
Signed-off-by: Aaron Conole <aconole at redhat.com>
---
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
index e5755307fb..18afbab9a7 100644
--- a/lib/lldp/lldp.c
+++ b/lib/lldp/lldp.c
@@ -513,10 +513,13 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
             b = xzalloc(tlv_size + 1);
             PEEK_BYTES(b, tlv_size);
             if (tlv_type == LLDP_TLV_PORT_DESCR) {
+                free(port->p_descr);
                 port->p_descr = b;
             } else if (tlv_type == LLDP_TLV_SYSTEM_NAME) {
+                free(chassis->c_name);
                 chassis->c_name = b;
             } else {
+                free(chassis->c_descr);
                 chassis->c_descr = b;
             }
             break;
---

More information about the discuss mailing list