Lucene search

K
archlinuxArchLinuxASA-202101-29
HistoryJan 20, 2021 - 12:00 a.m.

[ASA-202101-29] lldpd: information disclosure

2021-01-2000:00:00
security.archlinux.org
83

7.1 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.006 Low

EPSS

Percentile

78.3%

Arch Linux Security Advisory ASA-202101-29

Severity: Medium
Date : 2021-01-20
CVE-ID : CVE-2020-27827
Package : lldpd
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-1451

Summary

The package lldpd before version 1.0.8-1 is vulnerable to information
disclosure.

Resolution

Upgrade to 1.0.8-1.

pacman -Syu “lldpd>=1.0.8-1”

The problem has been fixed upstream in version 1.0.8.

Workaround

None.

Description

A security issue was found in lldpd before version 1.0.8. A packet that
contains multiple instances of certain TLVs will cause lldpd to
continually allocate memory and leak the old memory. As an example,
multiple instances of system name TLV will cause old values to be
dropped by the decoding routine.

Impact

A remote attack can leak information through crafted packets.

References

https://github.com/lldpd/lldpd/blob/master/NEWS
https://github.com/lldpd/lldpd/commit/a8d3c90feca548fc0656d95b5d278713db86ff61
https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html
https://github.com/openvswitch/ovs/pull/337
https://github.com/openvswitch/ovs/commit/f915f32f5667e3b9d460055d8b47fa5d204ce83a
https://security.archlinux.org/CVE-2020-27827

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanylldpd< 1.0.8-1UNKNOWN

7.1 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.006 Low

EPSS

Percentile

78.3%