CVE-2015-8011 – CVE-2015-8011 is a buffer overflow vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2015-8011?

CVE-2015-8011 has a CVSS score of 9.8 (CRITICAL). CVE-2015-8011 is a buffer overflow vulnerability in lldpd's lldp_decode function that allows remote attackers to crash the LLDP daemon and potentially execute arbitrary code. The vulnerability affects systems running lldpd before version 0.8.0. Attackers can exploit this by sending specially crafted LLDP packets with large management addresses that cross TLV boundaries.

📋 TL;DR

CVE-2015-8011 is a buffer overflow vulnerability in lldpd's lldp_decode function that allows remote attackers to crash the LLDP daemon and potentially execute arbitrary code. The vulnerability affects systems running lldpd before version 0.8.0. Attackers can exploit this by sending specially crafted LLDP packets with large management addresses that cross TLV boundaries.

💻 Affected Systems

Products:

lldpd

Versions: All versions before 0.8.0

Operating Systems: Linux, BSD systems running lldpd, Embedded systems with lldpd

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when lldpd is running and listening on network interfaces. Some distributions may have backported fixes.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Denial of service through daemon crash, potentially disrupting network discovery and management functions.

🟢

If Mitigated

Limited to daemon crash with automatic restart if exploit attempts are blocked or patched systems are in place.

🌐 Internet-Facing: MEDIUM - LLDP is typically used on internal networks, but misconfigured or bridged networks could expose it externally.

🏢 Internal Only: HIGH - LLDP operates at layer 2 and is commonly enabled on internal network interfaces for device discovery.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted LLDP packets to vulnerable systems. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.0 and later

Vendor Advisory: https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2

Restart Required: Yes

Instructions:

1. Update lldpd to version 0.8.0 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install lldpd. 3. For RHEL/CentOS: sudo yum update lldpd. 4. Restart the lldpd service: sudo systemctl restart lldpd.

🔧 Temporary Workarounds

Disable LLDP service

linux

Stop and disable the lldpd service if LLDP functionality is not required.

sudo systemctl stop lldpd
sudo systemctl disable lldpd

Network segmentation

linux

Use firewall rules to block LLDP traffic (protocol 0x88CC) from untrusted networks.

sudo iptables -A INPUT -p ethertype --ethertype 0x88CC -j DROP

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems from potential attackers
Deploy intrusion detection/prevention systems to monitor for LLDP exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check lldpd version: lldpd -v. If version is below 0.8.0, system is vulnerable.

Check Version:

lldpd -v || dpkg -l | grep lldpd || rpm -q lldpd

Verify Fix Applied:

Verify lldpd version is 0.8.0 or higher: lldpd -v. Check service status: systemctl status lldpd.

📡 Detection & Monitoring

Log Indicators:

lldpd crash logs in systemd journal or /var/log/syslog
Unexpected lldpd process termination

Network Indicators:

Unusual LLDP traffic patterns
LLDP packets with abnormally large management address fields

SIEM Query:

source="lldpd" AND (event="crash" OR event="segmentation fault")

📊 Metadata

CVE ID: CVE-2015-8011

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: January 28, 2020

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2015/10/16/2 Mailing List,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2015/10/30/2 Mailing List,Patch,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-941426.pdf
https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00032.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJ4DXFJWMZ325ECZXPZOSK7BOEDJZHPR/
https://us-cert.cisa.gov/ics/advisories/icsa-21-194-07
https://www.debian.org/security/2021/dsa-4836 Third Party Advisory
http://www.openwall.com/lists/oss-security/2015/10/16/2 Mailing List,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2015/10/30/2 Mailing List,Patch,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-941426.pdf
https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00032.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJ4DXFJWMZ325ECZXPZOSK7BOEDJZHPR/
https://us-cert.cisa.gov/ics/advisories/icsa-21-194-07
https://www.debian.org/security/2021/dsa-4836 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-8011, you might also want to check these: