CVE-2023-41910
📋 TL;DR
CVE-2023-41910 is a critical heap memory out-of-bounds read vulnerability in lldpd network discovery daemon. Attackers can exploit this by sending specially crafted CDP packets, potentially leading to information disclosure or service disruption. Systems running vulnerable versions of lldpd are affected.
💻 Affected Systems
- lldpd
📦 What is this software?
Lldpd by Lldpd Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, though CWE-125 typically indicates information disclosure rather than direct RCE
Likely Case
Service crash (denial of service) and potential information disclosure from heap memory
If Mitigated
Limited impact if network segmentation prevents malicious CDP packets from reaching vulnerable systems
🎯 Exploit Status
Exploitation requires network access to the lldpd service port (typically 161 for SNMP or 5353 for LLDP-MED)
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.17
Vendor Advisory: https://github.com/lldpd/lldpd/releases/tag/1.0.17
Restart Required: Yes
Instructions:
1. Update lldpd to version 1.0.17 or later using your package manager. 2. For Debian/Ubuntu: 'sudo apt update && sudo apt upgrade lldpd'. 3. For source installations: download from GitHub and compile. 4. Restart lldpd service: 'sudo systemctl restart lldpd'
🔧 Temporary Workarounds
Disable CDP protocol support
linuxConfigure lldpd to disable CDP protocol processing
Edit /etc/lldpd.conf and add: 'configure system cdp disable'
Restart lldpd: 'sudo systemctl restart lldpd'
Network segmentation
linuxRestrict access to lldpd service using firewall rules
sudo iptables -A INPUT -p udp --dport 161 -j DROP
sudo iptables -A INPUT -p udp --dport 5353 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate lldpd services from untrusted networks
- Monitor for unusual CDP traffic patterns and service crashes
🔍 How to Verify
Check if Vulnerable:
Check lldpd version: 'lldpd -v' or 'dpkg -l | grep lldpd' or 'rpm -qa | grep lldpd'. If version is earlier than 1.0.17, system is vulnerable.Check Version:
lldpd -vVerify Fix Applied:
Confirm version is 1.0.17 or later: 'lldpd -v' should show 1.0.17+. Verify service is running: 'systemctl status lldpd'📡 Detection & Monitoring
Log Indicators:
- lldpd service crashes or restarts
- Error messages related to CDP decoding in system logs
Network Indicators:
- Unusual CDP packet patterns or malformed CDP traffic
- Traffic to lldpd ports from unexpected sources
SIEM Query:
source="lldpd" AND ("crash" OR "segfault" OR "CDP decode error")🔗 References
- https://github.com/lldpd/lldpd/commit/a9aeabdf879c25c584852a0bb5523837632f099b
- https://github.com/lldpd/lldpd/releases/tag/1.0.17
- https://lists.debian.org/debian-lts-announce/2023/09/msg00025.html
- https://www.debian.org/security/2023/dsa-5505
- https://github.com/lldpd/lldpd/commit/a9aeabdf879c25c584852a0bb5523837632f099b
- https://github.com/lldpd/lldpd/releases/tag/1.0.17
- https://lists.debian.org/debian-lts-announce/2023/09/msg00025.html
- https://www.debian.org/security/2023/dsa-5505
