R-fx Networks BFD – Log Forging (Deny IP) Vulnerability (R911-0121)

Type: Log Forging
Location: Local
Impact: High
Product: R-fx Networks BFD
Website: https://www.rfxn.com
Vulnerable Version: 1.5
Fixed Version: 1.5-1
CVE: -
R911: 0121
Date: 2014-02-03
By: Rack911

Product Description:

BFD is a modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.

Vulnerability Description:

Through the use of log forging, it is possible to trick BFD into blocking any IP range (E.g: which could easily result in a malicious user creating a DoS against the server by blocking every single IPv4 address with minimal effort.


We have deemed this vulnerability to be rated as HIGH due to the fact that any user, including administrators, can have their IP’s blocked.

Vulnerable Version:

This vulnerability was tested against R-fx Networks BFD 1.5 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in R-fx Networks BFD 1.5-1, however, the ability to maliciously block a *single* IP address remains. Please read the following forum post for mitigation suggestions:


Vendor Contact Timeline:

2014-01-26: Vendor contacted via email.
2014-01-27: Vendor confirms vulnerability.
2014-01-29: Vendor issues update.
2014-02-03: Rack911 issues security advisory.