BFD 1.5-1 Update: Forged Syslog Data Vulnerability

Current Release:
http://www.rfxn.com/downloads/bfd-current.tar.gz
http://www.rfxn.com/appdocs/README.bfd
http://www.rfxn.com/appdocs/CHANGELOG.bfd

An updated version of BFD 1.5 has been released, version 1.5-1, which addresses an address scoping issue in the event forged syslog data is encountered on the host system running BFD from a malicious local user or any other sources that may generate forged syslog data. In such situations, BFD can be manipulated to ban addresses that it would otherwise not validly be triggered to do so, with wide scoped CIDR notation at up to a /8.

The 1.5-1 release addresses this by ensuring that addresses BFD passes onto the BAN_COMMAND are fully qualified C class (/32 CIDR) addresses only, as opposed to any CIDR notation address.

Thanks goes to rack911.com for responsibly advising of this issue and awaiting the release of a fix prior to any public disclosure. The responsible disclosure practices of rack911.com are a statement to their professionalism as a managed services provider as well as their dedication to improving the security landscape of the web hosting industry at large.