CVE-2021-28906 – This vulnerability in libyang's read_yin

Q: How do I fix CVE-2021-28906?

1. Update libyang to v1.0.226 or later using package manager. 2. Rebuild any applications statically linked to libyang. 3. Restart services using libyang.

Q: What is the severity of CVE-2021-28906?

CVE-2021-28906 has a CVSS score of 7.5 (HIGH). This vulnerability in libyang's read_yin_leaf() function allows a NULL pointer dereference when processing malformed YANG data. It affects systems using libyang v1.0.225 and earlier for network configuration management. Attackers can cause denial of service by crashing applications that parse untrusted YANG files.

📋 TL;DR

This vulnerability in libyang's read_yin_leaf() function allows a NULL pointer dereference when processing malformed YANG data. It affects systems using libyang v1.0.225 and earlier for network configuration management. Attackers can cause denial of service by crashing applications that parse untrusted YANG files.

💻 Affected Systems

Products:

libyang
systems using libyang library (e.g., network management tools, NETCONF/YANG implementations)

Versions: libyang <= v1.0.225

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when parsing YANG data with specific malformed extensions. Applications must use the vulnerable libyang function.

📦 What is this software?

Libyang by Cesnet

View all CVEs affecting Libyang →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution if the crash can be leveraged for memory corruption, though this is unlikely given the nature of NULL pointer dereference.

🟠

Likely Case

Denial of service through application crash when processing malicious YANG data, disrupting network configuration services.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing of YANG parsing processes.

🌐 Internet-Facing: MEDIUM - Applications accepting YANG data from external sources could be crashed remotely.

🏢 Internal Only: LOW - Typically used in internal network management systems with trusted data sources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed YANG data to trigger the NULL pointer dereference. No authentication needed if application accepts external YANG input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libyang v1.0.226 and later

Vendor Advisory: https://github.com/CESNET/libyang/issues/1455

Restart Required: Yes

Instructions:

1. Update libyang to v1.0.226 or later using package manager. 2. Rebuild any applications statically linked to libyang. 3. Restart services using libyang.

🔧 Temporary Workarounds

Input validation

all

Implement strict validation of YANG data before passing to libyang functions.

Process isolation

linux

Run YANG parsing in isolated processes/containers to limit crash impact.

🧯 If You Can't Patch

Restrict YANG data sources to trusted internal systems only.
Implement monitoring and automatic restart for services using libyang to minimize downtime from crashes.

🔍 How to Verify

Check if Vulnerable:

Check libyang version: 'yanglint --version' or 'ldconfig -p | grep libyang'. If version <= 1.0.225, system is vulnerable.

Check Version:

yanglint --version 2>/dev/null || pkg-config --modversion libyang || find /usr -name '*libyang*' -exec strings {} \; 2>/dev/null | grep -i version

Verify Fix Applied:

Confirm libyang version is >= 1.0.226 and test with known malformed YANG data to ensure no crash occurs.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation fault in libyang functions
Error logs mentioning read_yin_leaf or YANG parsing failures

Network Indicators:

Unusual YANG data transfers to network management ports
Repeated connection attempts to YANG/ NETCONF services

SIEM Query:

source="*libyang*" AND ("segmentation fault" OR "null pointer" OR "read_yin_leaf")

📊 Metadata

CVE ID: CVE-2021-28906

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-252

Published: May 20, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/CESNET/libyang/issues/1455 Exploit,Issue Tracking,Patch,Third Party Advisory
https://security.gentoo.org/glsa/202107-54 Third Party Advisory
https://github.com/CESNET/libyang/issues/1455 Exploit,Issue Tracking,Patch,Third Party Advisory
https://security.gentoo.org/glsa/202107-54 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28906, you might also want to check these: