Source: fastnetmon X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for fastnetmon. Most of these are harmless, but two (CVE-2026-48689 and CVE-2026-48688) are relevant. All links to commits etc. in the https://security-tracker.debian.org/tracker/source-package/fastnetmon entries for each CVE. There's also three other reports, which are not fixed upstream in 1.2.9 (but this bug only tracks the issues fixed in 1.2.9): CVE-2026-48689[0]: | FastNetMon Community Edition through 1.2.9 contains an off-by-one | heap-based buffer overflow in the dynamic_binary_buffer_t class | (src/dynamic_binary_buffer.hpp). Five methods | (append_dynamic_buffer, append_data_as_pointer, | append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) | use an incorrect bounds check of the form 'if (offset + length > | maximum_internal_storage_size + 1)' instead of the correct 'if | (offset + length > maximum_internal_storage_size)'. This allows | writing exactly one byte past the end of the heap-allocated buffer. | The class is used pervasively in BGP message encoding/decoding, | NetFlow template processing, and Flow Spec NLRI construction. An | attacker who can send network traffic (NetFlow, sFlow, IPFIX, or | BGP) to a FastNetMon instance can trigger this overflow, potentially | achieving arbitrary code execution by corrupting heap metadata. | Notably, the append_byte() method uses the correct bounds check, | confirming the inconsistency. CVE-2026-48688[1]: | FastNetMon Community Edition through 1.2.9 contains multiple out-of- | bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The | function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a | TODO comment at line 156 explicitly acknowledging 'we should add | sanity checks to avoid reads after attribute memory block.' The | function casts raw pointers to structure types without verifying | sufficient data exists (line 158), uses the attacker-controlled | length_of_next_hop field to determine memcpy size (line 181), and | computes prefix_length by dereferencing a pointer calculated from | multiple attacker-controlled offsets without bounds validation (line | 189). The prefix_length is then used to calculate | number_of_bytes_required_for_prefix which becomes a memcpy length | (line 202) with no check against remaining buffer size. CVE-2026-48696[2]: | FastNetMon Community Edition through 1.2.9 has a buffer overflow, a | different vulnerability than CVE-2026-48686 and CVE-2026-48689. CVE-2026-48695[3]: | FastNetMon Community Edition through 1.2.9 contains an OS command | injection vulnerability in the MikroTik router integration plugin. | The _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php | (lines 107-108) constructs shell commands by concatenating the $msg | parameter directly into exec() calls: exec("echo `date` \"- | {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). This is | identical in pattern to the Juniper plugin vulnerability. The $msg | variable contains unsanitized attack data from command-line | arguments. An attacker who can influence argv[] values can inject | arbitrary shell commands. The fix is to replace exec() with | file_put_contents() or use escapeshellarg(). CVE-2026-48694[4]: | FastNetMon Community Edition through 1.2.9 contains a configuration | injection vulnerability in the Juniper router integration plugin. In | src/juniper_plugin/fastnetmon_juniper.php, the $IP_ATTACK variable | (received from argv[1]) is directly interpolated into Juniper | NETCONF set-configuration commands at lines 69 and 90 without any | validation or sanitization. Line 69: | $conn->load_set_configuration("set routing-options static route | {$IP_ATTACK} community 65535:666 discard"). Line 90: | $conn->load_set_configuration("delete routing-options static route | {$IP_ATTACK}/32"). An attacker who can control the IP address string | can inject additional Juniper CLI configuration commands by | embedding newline characters followed by arbitrary set/delete | commands. This could modify the router's routing table, firewall | filters, user accounts, or any other configuration element | accessible via NETCONF. The impact is full router compromise. CVE-2026-48691[5]: | FastNetMon Community Edition through 1.2.9 contains an integer | overflow in the BGP AS_PATH attribute encoder. In | src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() | function computes attribute_length as | 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * | sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605). | Since uint8_t can only hold values 0-255, an AS_PATH containing more | than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The | truncated length is used for buffer sizing, while the actual data | written is the full untruncated amount, resulting in a heap buffer | overflow. Similarly, the path_segment_length field at line 621 is | also uint8_t, truncating with more than 255 ASNs. CVE-2026-48690[6]: | FastNetMon Community Edition through 1.2.9 contains an integer | overflow vulnerability in the packet capture buffer allocation. In | src/packet_storage.hpp, the allocate_buffer() function computes | memory_size_in_bytes as 'buffer_size_in_packets * | (max_captured_packet_size + sizeof(fastnetmon_pcap_pkthdr_t)) + | sizeof(fastnetmon_pcap_file_header_t)' using unsigned int (32-bit) | arithmetic. With max_captured_packet_size=1500 and | sizeof(fastnetmon_pcap_pkthdr_t)=16, each packet requires | approximately 1516 bytes. If buffer_size_in_packets exceeds | approximately 2,832,542, the multiplication overflows, resulting in | a much smaller allocation than expected. Subsequent write_packet() | calls then write past the allocated buffer, causing heap corruption. | The buffer_size_in_packets value is derived from the | ban_details_records_count configuration parameter, which is parsed | using atoi() with no overflow checking. CVE-2026-48687[7]: | FastNetMon Community Edition through 1.2.9 contains an OS command | injection vulnerability in the Juniper router integration plugin. | The _log() function in src/juniper_plugin/fastnetmon_juniper.php | (lines 117-118) constructs shell commands by concatenating the $msg | parameter directly into exec() calls: exec("echo `date` \"- | {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg | variable contains unsanitized data derived from command-line | arguments argv[1] through argv[3], which represent the attack IP | address, direction, and power. While FastNetMon's C++ core currently | passes IP addresses via inet_ntoa() (which only produces safe | dotted-decimal notation), the PHP script performs no input | validation or shell escaping. If the script is invoked directly, by | another orchestration system, or if future code changes pass string- | sourced IPs, arbitrary commands can be injected. The correct fix is | to replace exec() with file_put_contents() or use escapeshellarg() | on all parameters. CVE-2026-48686[8]: | FastNetMon Community Edition through 1.2.9 contains a stack-based | buffer overflow in the BGP NLRI (Network Layer Reachability | Information) decoder. The function | decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads | prefix_bit_length directly from the BGP packet (line 99) without | validating it is <= 32 for IPv4 prefixes. This value is passed to | how_much_bytes_we_need_for_storing_certain_subnet_mask() which | computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a | prefix_bit_length of 255. The result is used as the length argument | to memcpy() (line 106), which copies into a 4-byte uint32_t stack | variable (prefix_ipv4). This causes a stack buffer overflow of up to | 28 bytes, which can be exploited for arbitrary code execution. | Additionally, the unvalidated prefix_bit_length is passed to | convert_cidr_to_binary_netmask_local_function_copy() (line 111), | where a shift of (32 - cidr) with cidr > 32 causes undefined | behavior. CVE-2026-48685[9]: | FastNetMon Community Edition through 1.2.9 has out-of-bounds memory | access because it incorrectly parses BGP path attributes with the | extended length flag set. In src/bgp_protocol.hpp, the | parse_raw_bgp_attribute() function correctly identifies when | extended_length_bit is set and sets length_of_length_field to 2, but | then reads only a single byte for the attribute value length | (attribute_value_length = value[2] at line 173). Per RFC 4271 | Section 4.3, when the Extended Length bit is set, the Attribute | Length field is two octets and the value should be read as a 16-bit | big-endian integer from value[2] and value[3]. As a result, any | attribute longer than 255 bytes has its length silently truncated to | the low byte (e.g., 300 bytes = 0x012C is read as 0x2C = 44 bytes). | The remaining 256 bytes are then misinterpreted as subsequent | attributes, causing cascading parse failures and potential out-of- | bounds memory access. CVE-2026-48684[10]: | FastNetMon Community Edition through 1.2.9 contains an out-of-bounds | read in the NetFlow v9 options template parser. In | process_netflow_v9_options_template() | (src/netflow_plugin/netflow_v9_collector.cpp), the scope parsing | loop (lines 224-229) iterates until scopes_offset reaches the | attacker-controlled option_scope_length value, reading | netflow9_template_flowset_record_t structures at each step. No | bounds check validates that (zone_address + scopes_offset + | sizeof(record)) stays within the flowset. The same issue affects the | options field loop (lines 241-257) with option_length. Furthermore, | option_scope_length is not validated to be a multiple of | sizeof(netflow9_template_flowset_record_t), potentially causing | misaligned reads. An attacker can trigger reads past the end of the | UDP packet buffer. CVE-2026-48683[11]: | FastNetMon Community Edition through 1.2.9 contains an out-of-bounds | read vulnerability in the NetFlow v9 data flowset processor. In | src/netflow_plugin/netflow_v9_collector.cpp, the Data template | branch (lines 1695-1702) iterates over flow records without | performing a per-iteration bounds check against the packet end | pointer. In contrast, the Options template branch (lines 1709-1719) | correctly checks 'if (pkt + offset + field_template->total_length > | packet_end)' before each iteration. The Data branch omits this check | entirely. Since template definitions are sent by the network peer | (and are unauthenticated UDP), an attacker can craft templates that | cause the parser to read arbitrary memory past the packet buffer. | This can leak sensitive memory contents or cause a crash. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-48689 https://www.cve.org/CVERecord?id=CVE-2026-48689 [1] https://security-tracker.debian.org/tracker/CVE-2026-48688 https://www.cve.org/CVERecord?id=CVE-2026-48688 [2] https://security-tracker.debian.org/tracker/CVE-2026-48696 https://www.cve.org/CVERecord?id=CVE-2026-48696 [3] https://security-tracker.debian.org/tracker/CVE-2026-48695 https://www.cve.org/CVERecord?id=CVE-2026-48695 [4] https://security-tracker.debian.org/tracker/CVE-2026-48694 https://www.cve.org/CVERecord?id=CVE-2026-48694 [5] https://security-tracker.debian.org/tracker/CVE-2026-48691 https://www.cve.org/CVERecord?id=CVE-2026-48691 [6] https://security-tracker.debian.org/tracker/CVE-2026-48690 https://www.cve.org/CVERecord?id=CVE-2026-48690 [7] https://security-tracker.debian.org/tracker/CVE-2026-48687 https://www.cve.org/CVERecord?id=CVE-2026-48687 [8] https://security-tracker.debian.org/tracker/CVE-2026-48686 https://www.cve.org/CVERecord?id=CVE-2026-48686 [9] https://security-tracker.debian.org/tracker/CVE-2026-48685 https://www.cve.org/CVERecord?id=CVE-2026-48685 [10] https://security-tracker.debian.org/tracker/CVE-2026-48684 https://www.cve.org/CVERecord?id=CVE-2026-48684 [11] https://security-tracker.debian.org/tracker/CVE-2026-48683 https://www.cve.org/CVERecord?id=CVE-2026-48683 Please adjust the affected versions in the BTS as needed.
