[thirdparty/lldpd.git] / content / security.html

---
title: Security
---

`lldpd` contains several security features to mitigate vulnerabilities
(privilege separation, chrooted process, …). If you wish to report a
security issue, either open an [issue on GitHub][] or [mail me][]
directly.

# Past vulnerabilities

 * [CVE-2020-27827][]: memory exhaustion attack through crafted LLDPU
   with duplicate TLVs. A remote device can send LLDPU with a
   duplicate port description, system name, or system description TLV
   and trigger a memory leak. The vulnerability does not allow
   arbitrary code execution. This bug is present since the initial
   release. It has been fixed in commits [a8d3c90f][] (1.0.8), and
   [7d60bf30][] (1.0.9)

 * [CVE-2015-8011][]: buffer overflow when handling management address
   TLV for LLDP. When a remote device was advertising a too large
   management address while still respecting TLV boundaries, lldpd
   would crash due to a buffer overflow. This vulnerability affects
   the parser which is run in an unprivileged and chrooted
   process. It does not allow arbitrary code execution
   unless hardening has been specifically disabled. This bug has been
   introduced in version 0.6.0. It has been fixed in commit
   [dd4f16e7][] and in version 0.7.19.

 * [CVE-2015-8012][]: crash on malformed management address. When a
   remote device was advertising a malformed management address, lldpd
   would crash with an assertion error. This vulnerability affects the
   parser which is run in an unprivileged and chrooted process. It
   does not allow arbitrary code execution. This bug has been
   introduced in version 0.6.0. It has been fixed in commit
   [793526f8][] and in version 0.7.19.

[issue on GitHub]: https://github.com/lldpd/lldpd/issues/new
[mail me]: mailto:vincent@bernat.ch
[CVE-2015-8011]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8011
[CVE-2015-8012]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8012
[CVE-2020-27827]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27827
[dd4f16e7]: https://github.com/lldpd/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2
[793526f8]: https://github.com/lldpd/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00
[a8d3c90f]: https://github.com/lldpd/lldpd/commit/a8d3c90feca548fc0656d95b5d278713db86ff61
[7d60bf30]: https://github.com/lldpd/lldpd/commit/7d60bf30effc4c88f17f3d58ecaa72479f16d4be

{# Local Variables:      #}
{# mode: markdown        #}
{# indent-tabs-mode: nil #}
{# End:                  #}
Commit	Line	Data
aa58fbfe VB	1	---
	2	title: Security
	3	---
	4
	5	`lldpd` contains several security features to mitigate vulnerabilities
	6	(privilege separation, chrooted process, …). If you wish to report a
	7	security issue, either open an [issue on GitHub][] or [mail me][]
	8	directly.
	9
	10	# Past vulnerabilities
	11
d436b636	12	* [CVE-2020-27827][]: memory exhaustion attack through crafted LLDPU
fcf94eb0 VB	13	with duplicate TLVs. A remote device can send LLDPU with a
	14	duplicate port description, system name, or system description TLV
	15	and trigger a memory leak. The vulnerability does not allow
	16	arbitrary code execution. This bug is present since the initial
50ee6724 VB	17	release. It has been fixed in commits [a8d3c90f][] (1.0.8), and
50ee6724 VB	18	[7d60bf30][] (1.0.9)
d436b636	19
aa58fbfe VB	20	* [CVE-2015-8011][]: buffer overflow when handling management address
	21	TLV for LLDP. When a remote device was advertising a too large
	22	management address while still respecting TLV boundaries, lldpd
	23	would crash due to a buffer overflow. This vulnerability affects
	24	the parser which is run in an unprivileged and chrooted
	25	process. It does not allow arbitrary code execution
	26	unless hardening has been specifically disabled. This bug has been
	27	introduced in version 0.6.0. It has been fixed in commit
	28	[dd4f16e7][] and in version 0.7.19.
	29
	30	* [CVE-2015-8012][]: crash on malformed management address. When a
	31	remote device was advertising a malformed management address, lldpd
	32	would crash with an assertion error. This vulnerability affects the
	33	parser which is run in an unprivileged and chrooted process. It
	34	does not allow arbitrary code execution. This bug has been
	35	introduced in version 0.6.0. It has been fixed in commit
	36	[793526f8][] and in version 0.7.19.
	37
aaa57e6d	38	[issue on GitHub]: https://github.com/lldpd/lldpd/issues/new
4d5fba58	39	[mail me]: mailto:vincent@bernat.ch
aa58fbfe VB	40	[CVE-2015-8011]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8011
aa58fbfe VB	41	[CVE-2015-8012]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8012
d436b636	42	[CVE-2020-27827]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27827
aaa57e6d VB	43	[dd4f16e7]: https://github.com/lldpd/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2
aaa57e6d VB	44	[793526f8]: https://github.com/lldpd/lldpd/commit/793526f8884455f43daecd0a2c46772388417a00
d436b636	45	[a8d3c90f]: https://github.com/lldpd/lldpd/commit/a8d3c90feca548fc0656d95b5d278713db86ff61
50ee6724	46	[7d60bf30]: https://github.com/lldpd/lldpd/commit/7d60bf30effc4c88f17f3d58ecaa72479f16d4be
aa58fbfe VB	47
	48	{# Local Variables: #}
	49	{# mode: markdown #}
	50	{# indent-tabs-mode: nil #}
	51	{# End: #}