Security Advisory 2020-05-06-2 - relayd out-of-bounds reads of heap data and possible buffer overflow (CVE-2020-11752)

relayd in OpenWrt through 19.07.2 and 18.06.8 has potential for out-of-bounds reads of heap data and possible buffer overflow.

relayd is a transparent routing / relay daemon for OpenWrt. It can be used to relay traffic between two networks, including DHCP and broadcast, when other options don't work or are too complex to implement.

We have not been made aware of any exploits at this time, however users are advised to update the relayd package to 2020-04-25-f4d759be-1 or later.

CVE-2020-11752 has been assigned to this issue.

The relayd package is not part of the default package set: official OpenWrt images provided for download do not contain relayd. However, third-party firmware images based on OpenWrt may contain relayd by default.

In order to exploit this vulnerability, a vulnerable version of the relayd package needs to be installed on the OpenWrt device. A malicious attacker in the same local network as the OpenWrt device would then need to send a specially crafted DHCP packet.

To fix this issue, update the affected relayd package using the command below.

 opkg update; opkg upgrade relayd

The fix is contained in the following and later versions:

To our knowledge, OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to 19.07.2 are affected. The fixed packages will be integrated in the upcoming OpenWrt 18.06.9 and OpenWrt 19.07.3 releases. Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

This issue was identified by Guido Vranken using ForAllSecure Mayhem and code fix was implemented by Kevin Darbyshire-Bryant with assistance from Guido Vranken.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/05/19 10:44
  • by zorun