Routing note: SECURITY.md lists "Denial of service against the O-Node (single-process architecture)" as a known out-of-scope limitation, so I'm filing this as a public robustness issue rather than a private security report. It's a crash, not a crypto/trust/auth bypass. If you'd rather track it elsewhere, happy to move it.
Observed. With an ASA connected but at enable=0 (no enable credential configured), both the watchdog health-check and a client execute were attempted without enable:
[ASA] Warning: not in enable mode on ASA, command may fail: show clock
[ASA] Warning: not in enable mode on ASA, command may fail: show version
[Watchdog] Health check failed: ASA — dropping
[ASA] Disconnected: ASA
A client {"action":"execute","device":"ASA","command":"show version"} then segfaulted virp-onode-prod (client got socket closed prematurely; shell reported Segmentation fault).
Repro (minimal): a device whose SSH account is not priv-15, with no enable credential configured → connect → issue any exec command (or let the watchdog health-check run). Seen on ASA 9.1(7)23, but the trigger is the enable=0 + command-issued state, which looks driver-generic in the cisco/asa exec path.
Why it's worth fixing despite the known single-process-DoS limitation: this isn't resource exhaustion — it's a reproducible memory-safety crash on a specific, partly device-influenced input (mode/prompt detection), and the fix looks small and local: the exec path should return an error (e.g. VIRP_ERR_ENABLE_REQUIRED) when a command is requested on a not-enabled session, rather than proceeding into the crash. A negative test / libFuzzer case for "connected, enable=0, command issued" would lock it down.
PR_SET_DUMPABLE=0 means no key disclosure via core dump (good). I can run the daemon under gdb in an isolated VM to capture a backtrace if useful.
Environment: O-Node @ 604edca, make … (+prod); Ubuntu Server 26.04, gcc 15.2, Go 1.26, libssh2 1.11.1; target = physical Cisco ASA5505, ASA 9.1(7)23.
Routing note:
SECURITY.mdlists "Denial of service against the O-Node (single-process architecture)" as a known out-of-scope limitation, so I'm filing this as a public robustness issue rather than a private security report. It's a crash, not a crypto/trust/auth bypass. If you'd rather track it elsewhere, happy to move it.Observed. With an ASA connected but at
enable=0(noenablecredential configured), both the watchdog health-check and a clientexecutewere attempted without enable:A client
{"action":"execute","device":"ASA","command":"show version"}then segfaultedvirp-onode-prod(client gotsocket closed prematurely; shell reportedSegmentation fault).Repro (minimal): a device whose SSH account is not priv-15, with no
enablecredential configured → connect → issue any exec command (or let the watchdog health-check run). Seen on ASA 9.1(7)23, but the trigger is theenable=0+ command-issued state, which looks driver-generic in the cisco/asa exec path.Why it's worth fixing despite the known single-process-DoS limitation: this isn't resource exhaustion — it's a reproducible memory-safety crash on a specific, partly device-influenced input (mode/prompt detection), and the fix looks small and local: the exec path should return an error (e.g.
VIRP_ERR_ENABLE_REQUIRED) when a command is requested on a not-enabled session, rather than proceeding into the crash. A negative test / libFuzzer case for "connected, enable=0, command issued" would lock it down.PR_SET_DUMPABLE=0means no key disclosure via core dump (good). I can run the daemon under gdb in an isolated VM to capture a backtrace if useful.Environment: O-Node @
604edca,make … (+prod); Ubuntu Server 26.04, gcc 15.2, Go 1.26, libssh2 1.11.1; target = physical Cisco ASA5505, ASA 9.1(7)23.