CVE-2025-43971: GoBGP Vulnerability Leads to Denial of Service in Versions Prior to 3.35.

A recently discovered security vulnerability in GoBGP versions before 3.35., tracked as CVE-2025-43971, could allow remote attackers to cause a panic by sending a specially crafted message with a zero value for 'softwareVersionLen'. This vulnerability can lead to a denial of service (DoS) as the GoBGP daemon crashes unexpectedly.

GoBGP is an open source, scalable, flexible, and high-performance Border Gateway Protocol (BGP) implementation written in the Go programming language. As a crucial part of internet routing and inter-domain networking, securing BGP implementations is of paramount importance.

In this blog post, we will elaborate on the technical details of the vulnerability, its impact, and the steps to mitigate this issue.

What is the vulnerability?
The vulnerability resides in the 'pkg/packet/bgp/bgp.go' file, specifically in the handling of OPEN messages. If an attacker sends a crafted message containing a zero value for 'softwareVersionLen', it can result in triggering a panic that leads to a crash of the GoBGP daemon.

Here's the code snippet from 'bgp.go' where the issue occurs

func (msg *Open) DecodeFromBytes(data []byte) error {
	...
	softwareVersionLen := binary.BigEndian.Uint16(data[fixedRestartMarkerLength-2 :])
	if softwareVersionLen >  {
		msg.SoftwareVersion = string(data[: softwareVersionLen])
		data = data[softwareVersionLen:]
	}
	...
}

In the above code snippet, the length of 'softwareVersion' is extracted from the 'data' byte slice and assigned to 'softwareVersionLen'. If this value is zero, the slice operation in the line 'msg.SoftwareVersion = string(data[: softwareVersionLen])' causes a panic, ultimately crashing the GoBGP daemon.

Original References

Details about the vulnerability and the patch to address this issue can be found in the following links:

1. GoBGP GitHub Repository - Issue #2448
2. GoBGP Changelog for Version 3.35. - Release Notes
3. GoBGP GitHub Repository - Patch Commit

Exploiting the vulnerability

To exploit this vulnerability, an attacker would need to establish a TCP connection to the GoBGP daemon and send a crafted OPEN message containing a zero value for 'softwareVersionLen'. This would then trigger a panic and crash the GoBGP daemon, resulting in a denial of service.

Mitigation

To mitigate this vulnerability, users should upgrade to GoBGP version 3.35. or later. This version includes a patch that corrects the issue. The patch checks and validates 'softwareVersionLen' before operating on the 'data' byte slice:

func (msg *Open) DecodeFromBytes(data []byte) error {
	...
	softwareVersionLen := binary.BigEndian.Uint16(data[fixedRestartMarkerLength-2 :])
	if softwareVersionLen >  {
		msg.SoftwareVersion = string(data[: softwareVersionLen])
		data = data[softwareVersionLen:]
	} else {
     		return fmt.Errorf("invalid software version length: %d", softwareVersionLen)
   	}
	...
}

By adding a validation check for 'softwareVersionLen', the patch effectively prevents a panic from occurring and crashing the GoBGP daemon.

Conclusion

CVE-2025-43971 is a critical vulnerability in GoBGP, which can lead to denial of service due to a panic triggered by a specially crafted message. Users are advised to upgrade to GoBGP 3.35. or later to ensure their system is protected against potential exploits. As always, keeping software up-to-date and closely monitoring for security patches is essential in maintaining a secure environment.

Timeline

Published on: 04/21/2025 01:15:45 UTC
Last modified on: 05/08/2025 15:57:42 UTC