CVE-2024-27913: FRRouting (FRR) OSPF Vulnerability Leads to Denial of Service

CVE-2024-27913 is a vulnerability in the FRRouting (FRR) software suite, which could be exploited by remote attackers to cause a denial of service (DoS) attack on the ospfd daemon. This blog post will detail the nature of the vulnerability, show a code snippet that demonstrates its impact, and provide links to original references and exploit details.

Background

FRRouting (FRR) is an IP routing protocol suite for Linux and Unix platforms, widely used to interconnect routers and switches over large networks. The protocol suite includes the OSPF (Open Shortest Path First) protocol, an Interior Gateway Protocol (IGP) used to distribute routing information within a single Autonomous System (AS). The OSPF protocol implementation in FRR suffers from a vulnerability that can be leveraged by an attacker to crash the ospfd daemon by sending a malformed OSPF LSA (Link-State Advertisement) packet.

Vulnerability Details

The vulnerability lies in the ospf_te_parse_te() function in the ospfd/ospf_te.c file. When processing a received OSPF LSA packet, the code attempts to access a missing attribute field. The improper handling of this missing field leads to a segmentation fault and subsequent crash of the ospfd daemon. The ospfd daemon is responsible for managing the OSPF routing protocol, thus its crash results in a denial of service.

Here is the relevant code snippet from the ospfd/ospf_te.c file, showcasing the improper handling of an OSPF LSA packet:

/* Parse Traffic Engineering LSA Sub-TLV and build corresponding data */
void ospf_te_parse_te(struct ospf_lsa *lsa, struct tlv_header *tlvh)
{
    // ... snip ...
    while (STREAM_READABLE(stream)) {
        struct tlv_header *tlvh_sub;
        // ... snip ...
        switch (ntohs(tlvh_sub->type)) {
        // ... snip ...
        case LINK_TE_ATTR:
            ospf_te_parse_attr(lsa, tlvh_sub); // <-- This function accesses the missing attribute field
            break;
        // ... snip ...
        }
    }
}

Exploit Details

An attacker can exploit this vulnerability by crafting a malformed OSPF LSA packet, in which the LINK_TE_ATTR attribute field is missing or corrupted. When such a packet is received and processed by the vulnerable FRR instance, the improperly handled attribute field will lead to the ospfd daemon crash, resulting in a denial of service.

Mitigation

The FRRouting project has released version 9.2, which addresses and fixes the vulnerability. Users are advised to update their FRR software suite to version 9.2 or later as soon as possible.

Original References

1. Official CVE Details
2. FRRouting GitHub Repository
3. FRRouting Release Notes for version 9.2

Conclusion

CVE-2024-27913 is a severe vulnerability in the ospfd daemon of the FRRouting (FRR) software suite. By sending a malformed OSPF LSA packet, remote attackers can exploit this issue to cause a denial of service, affecting the proper functioning of the entire network. To mitigate this vulnerability, users should immediately upgrade their FRR software to version 9.2 or later.

Timeline

Published on: 02/28/2024 07:15:09 UTC
Last modified on: 02/28/2024 14:06:45 UTC