CVE-2020-15473
📋 TL;DR
CVE-2020-15473 is a heap-based buffer over-read vulnerability in nDPI's OpenVPN dissector that allows attackers to read memory beyond allocated buffers. This affects systems using nDPI for deep packet inspection, potentially exposing sensitive information or causing crashes. The vulnerability is present in nDPI versions through 3.2.
💻 Affected Systems
- nDPI (ntop Deep Packet Inspection library)
📦 What is this software?
Ndpi by Ntop
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, though buffer over-read typically enables information disclosure rather than arbitrary code execution.
Likely Case
Information disclosure of adjacent memory contents, potentially exposing sensitive data like encryption keys or session information, or causing denial of service through application crashes.
If Mitigated
Limited impact with proper network segmentation and monitoring, potentially only causing service disruption rather than data exposure.
🎯 Exploit Status
Proof-of-concept code is publicly available. Exploitation requires sending specially crafted OpenVPN packets to systems using vulnerable nDPI versions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: nDPI 3.3 and later
Vendor Advisory: https://github.com/ntop/nDPI/commit/8e7b1ea7a136cc4e4aa9880072ec2d69900a825e
Restart Required: Yes
Instructions:
1. Update nDPI to version 3.3 or later. 2. Recompile any applications using nDPI. 3. Restart services using the updated library.
🔧 Temporary Workarounds
Disable OpenVPN dissector
allTemporarily disable OpenVPN protocol detection in nDPI configuration
Modify nDPI configuration to disable OpenVPN protocol detection
Network filtering
linuxBlock or filter OpenVPN traffic at network boundaries
iptables -A INPUT -p udp --dport 1194 -j DROP
iptables -A INPUT -p tcp --dport 1194 -j DROP
🧯 If You Can't Patch
- Implement network segmentation to isolate systems using nDPI
- Deploy intrusion detection systems to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check nDPI version: ndpiReader --version or check library version in applications using nDPICheck Version:
ndpiReader --version 2>/dev/null | head -1 || grep -i ndpi /usr/include/ndpi/ndpi_version.hVerify Fix Applied:
Verify nDPI version is 3.3 or later and check that the commit 8e7b1ea7a136cc4e4aa9880072ec2d69900a825e is present📡 Detection & Monitoring
Log Indicators:
- Application crashes or abnormal termination of nDPI-based services
- Memory access violation errors in system logs
Network Indicators:
- Unusual OpenVPN packet patterns or malformed OpenVPN traffic
SIEM Query:
source="*ndpi*" AND ("segmentation fault" OR "buffer over-read" OR "memory violation")