SB2023091371 - Multiple vulnerabilities in FRRouting FRR
Published: September 13, 2023 Updated: November 7, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2023-38802)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing BGP update data with a corrupted attribute 23 (Tunnel Encapsulation). A remote attacker can send specially crafted BGP update data to the application and perform a denial of service (DoS) attack.
2) Input validation error (CVE-ID: CVE-2023-41358)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in bgpd/bgp_packet.c when handling NLRIs. A remote attacker can send specially crafted input to the application and perform a denial of service (DoS) attack.
3) NULL pointer dereference (CVE-ID: CVE-2023-41909)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the bgp_nlri_parse_flowspec() function in bgpd/bgp_flowspec.c. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.
4) Out-of-bounds read (CVE-ID: CVE-2023-41360)
The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in bgpd/bgp_packet.c. A remote attacker can read the initial byte of the ORF header in an ahead-of-stream situation.
5) Out-of-bounds read (CVE-ID: CVE-2023-41359)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the bgp_attr_aigp_valid() function in bgpd/bgp_attr.c. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
6) Buffer overflow (CVE-ID: CVE-2023-41361)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in bgpd/bgp_open.c. A remote attacker can send specially crafted data to the application, trigger memory corruption and execute arbitrary code on the target system.
Remediation
Install update from vendor's website.
References
- https://news.ycombinator.com/item?id=37305800
- https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
- https://www.debian.org/security/2023/dsa-5495
- https://github.com/FRRouting/frr/releases/tag/frr-8.5.3
- https://github.com/FRRouting/frr/releases/tag/frr-9.0.1
- https://github.com/FRRouting/frr/pull/14260
- https://lists.debian.org/debian-lts-announce/2023/09/msg00020.html
- https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8
- https://github.com/FRRouting/frr/pull/14245
- https://github.com/FRRouting/frr/pull/14232
- https://github.com/FRRouting/frr/pull/14241