BGP Mishandled attribute length on Error
A vulnerability exists in the BGP daemon of FRR where a malformed BGP UPDATE packet can leak information from the BGP daemon and cause a denial of service by crashing the daemon.
Nov 8, 2017
FRRouting “FRR” (bgpd) on any platforms. Use of FRR without running the BGP daemon is not affected.
All Versions of FRR
All versions of FRR (2.0, 3.0, 3.1) are vulnerable to a remote crafted BGP UPDATE packet with a malformed path attribute length field.
When returning the malformed attribute to the UPDATE sender in the data field of a NOTIFICATION message, the malformed length field is used to compute the amount of data returned. This can result in a heap buffer overflow, allowing an attacker to read up to 4075 bytes of bgpd program heap, including the intended contents of the malformed attribute.
Leaked information is likely to include portions of previous messages received from the requester as well as random heap values. Denial of service via program crash resulting from out of bounds reads is also a possibility. The leaked data is restricted to data from the BGP daemon.
In order to exploit this flaw an attacker must be able to successfully establish a BGP peering to the target. (The attacker must be able to establish a BGP session first)
CVSS v3 Base Score: 5.0
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:
None. However, the attacker must have access to a system with a configured BGP neighbor.
None known in the public at this time. An internal functional exploit code exists.
- FRR before 2.0.2
- FRR 3.0 before 3.0.2
- FRR 3.1 (Development git master) before 8 November 2017
- Cumulus Linux before 3.4.3
Upgrade to FRR 2.0.2 if you are running < 2.0.2 or upgrade to 3.0.2 for FRR versions 3.0.x.
Updated packages are available at https://github.com/FRRouting/frr/releases or upgrade to latest GIT Master version
Document Revision History:
- 1.0 7 November 2017 – Initial version
- 1.1 10 November 2017 – Updated version with CVSS score and resolved versions
The issue was uncovered by Quentin Young at Cumulus Networks
Do you have Questions?
Questions regarding this advisory should go to firstname.lastname@example.org