CVE-2024-56072

Vulnerability

The sFlow v5 plugin in FastNetMon Community Edition through version 1.2.7 lacks bounds checking on the number of samples in a packet. A remote attacker can send a crafted sFlow v5 packet specifying an excessive number of flow or counter samples, causing the application to crash due to memory allocation failure or other resource exhaustion. The vulnerability exists in the parse_sflow_v5_packet function and the process_sflow_flow_sample and process_sflow_counter_sample functions [1][2].

Exploitation

An attacker with network access to the FastNetMon instance can send a specially crafted sFlow v5 packet containing a large number of samples (e.g., via the datagram_samples_count field or the number of flow/counter records). No authentication is required. The packet triggers the vulnerable code path, leading to a crash [1][2].

Impact

Successful exploitation results in a denial of service (application crash) of the FastNetMon daemon, disrupting network monitoring capabilities. The crash is immediate upon processing the malicious packet [1][2].

Mitigation

The issue is fixed in commits [1] and [2] which introduce capping logic for the number of sFlow samples and records. Users should update to a version containing these fixes (post-1.2.7) or apply the patches manually. No workaround is documented; the vendor recommends upgrading [1][2].