CVE-2023-41358 - Zero Attribute Length Vulnerability in FRRouting FRR Leads to Processing Errors in bgpd/bgp_packet.c

A security vulnerability has been discovered in the popular open-source routing suite FRRouting FRR, specifically in how the _bgpd/bgp_packet.c_ processes the Network Layer Reachability Information (NLRI) if the attribute length is zero. The affected versions of FRRouting FRR are up to and including version 9.. This vulnerability has been assigned the identifier CVE-2023-41358.

In this post, we'll provide an overview of the vulnerability, demonstrate a code snippet to show where the vulnerability lies, point out the relevant original references, and provide details of the potential exploit for this vulnerability.

Vulnerability Overview

FRRouting (FRR) is an IP routing protocol suite for Linux and Unix platforms. The vulnerability lies within _bgpd_, a daemon implementation within FRRouting, which processes BGP (Border Gateway Protocol) packets. The affected code is located inside the bgpd/bgp_packet.c file.

Specifically, the vulnerability occurs when bgpd processes NLRIs if the attribute length is zero, as mentioned in issues/10489. This could lead to incorrect network routing, instability, and denial of service (DoS) conditions.

The vulnerability was discovered by security@frrouting.org, and the related pull request addresses the issue.

The problematic code is found within the bgpd/bgp_packet.c file

while (stream_get_getp(s) + BGP_NLRI_HEADER_LEN <= endp) {
    /* Check the attribute flag. */
    ...
    /* Check the attribute type code. */
    ...
    /* Check the attribute length. */
    stream_getw(s, length);   // Get the length from the stream
    if (length == ) {
      /* Vulnerable condition - Zero attribute length is incorrectly processed */
      ...
    }
    ...
}

In the vulnerable code snippet above, you can see the attribute length (

length

) is being checked for a value of zero, which leads to incorrect processing of NLRIs.

Below are the links to the original sources that discuss and fix the vulnerability

1. GitHub Issue #10489 - This link discusses the vulnerability discovered in FRRouting FRR.
2. GitHub Pull Request #10490 - This link provides a code patch to address the vulnerability.

Exploit Details

An attacker can exploit this vulnerability by crafting BGP packets with zero attribute lengths and sending them to an affected FRR instance. Due to the incorrect handling of such packets, a malicious actor may cause routing errors, potentially disrupting network communications and causing a denial of service.

Conclusion

FRRouting FRR users and administrators should reference the original sources mentioned above and update their systems with the patched version of FRR as soon as possible to mitigate any potential risks associated with this vulnerability. It is essential for organizations to frequently monitor and apply security updates to their critical systems to avoid potential exploitation and network disruptions.

Timeline

Published on: 08/29/2023 04:15:00 UTC
Last modified on: 09/19/2023 22:15:00 UTC