In our latest update, we’ve added several safety checks in our IPFIX and Netflow v9 code to prevent reading outside of our memory region and potential division by zero. We’ve also blocked zero length data and options templates for Netflow v9 to reduce chances of DoS attacks. We’ve fixed a DoS vulnerability in our sFlow v5 plugin and added explicit checks for the number of counter and flow records in sFlow packets. Additionally, we’ve added logic to correctly populate hostgroup for Flow Spec announces and fixed a bug with traffic buffer size reporting for IPv6. Lastly, we’ve added Kafka support for traffic export. Full details below.
Changes:
- Added sanity check in IPFIX code to avoid reading outside of our memory region
- Added sanity check in Netflow v9 code to avoid reading outside of our memory region
- Added safety check in IPFIX to avoid potential division by zero
- DoS: explicitly blocked zero length data templates for Netflow v9 as they have no sense
- DoS: explicitly blocked zero length options templates for Netflow v9 as they have no sense
- DoS: Added fix for FPE / division by zero in Netflow v9 logic when length of template is zero, CVE CVE-2024-56073
- Added explicit check about number of counter records in sFlow packet to reduce chances of DoS attack
- Added explicit check about number of flow records in sFlow packet to reduce chances of DoS attack
- Fixed DoS vulnerability in sFlow v5 plugin which crashed FastNetMon with specially crafted packet, CVE-2024-56072
- Added logic to correctly populate hostgroup for Flow Spec announces injected manually
- Moved current attack logic up in function to grant space for hsotgroup lookup
- Switched text/html to text/plain for Prometheus endpoint: https://github.com/prometheus/docs/blob/main/content/docs/instrumenting/exposition_formats.md
- Fixed bug with traffic buffer size reporting for IPv6: IPv6 traffic buffer is too small to generate attack_traffic_samples correctly and IPv6 traffic buffer is too small to generate hostgroup_traffic_samples correctly
- Added Kafka support for traffic export via configuration options kafka_traffic_export, kafka_traffic_export_topicm kafka_traffic_export_format, kafka_traffic_export_brokers for Kafka traffic export’