Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-31490: bgpd: Missing length check in bgp_attr_psid_sub about BGP_PREFIX_SID_SRV6_L3_SERVICE · Issue #13099 · FRRouting/frr

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

CVE
#dos#git

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Comments

Describe the bug

  • Did you check if this is a duplicate issue?
  • Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp_attr_psid_sub, there is a missing check of the type = BGP_PREFIX_SID_SRV6_L3_SERVICE when using stream_getc to get reseverd field.

/* Placeholder code for the SRv6 L3 Service type */
else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
    if (STREAM_READABLE(peer->curr) < length) {
        flog_err(
            EC_BGP_ATTR_LEN,
            "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
            length, STREAM_READABLE(peer->curr));
        return bgp_attr_malformed(args,
             BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
             args->total);
    }

    /* ignore reserved */
    stream_getc(peer->curr);

To Reproduce

When I construct a psid_sub TLV, Type = 5 and Length = 0, Frrouting will crash.
Expected behavior

Screenshots

Versions

  • OS Version:

  • Kernel:

  • FRR Version:

Additional context

I pushed a PR for this back in December but it’s been stalled due to me being busy with some other stuff
#12454

I’ll get back to it today and get this in

Describe the bug

  • Did you check if this is a duplicate issue?
  • Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp_attr_psid_sub, there is a missing check of the type = BGP_PREFIX_SID_SRV6_L3_SERVICE when using stream_getc to get reseverd field.

/* Placeholder code for the SRv6 L3 Service type */
else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
  if (STREAM_READABLE(peer->curr) < length) {
      flog_err(
          EC_BGP_ATTR_LEN,
          "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
          length, STREAM_READABLE(peer->curr));
      return bgp_attr_malformed(args,
           BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
           args->total);
  }

  /* ignore reserved */
  stream_getc(peer->curr);

To Reproduce

When I construct a psid_sub TLV, Type = 5 and Length = 0, Frrouting will crash. Expected behavior

Screenshots

Versions

  • OS Version:

  • Kernel:

  • FRR Version:

Additional context

Hi Melissa,

Could you please share with us on how to construct a message that can reproduce this crash?

I tried to use scappy but I’m not sure how to construct such a message.

Thank you!

can you share the PoC and the bgp configuration? thanks!

halstead pushed a commit to openembedded/meta-openembedded that referenced this issue

Jul 31, 2023

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

References: https://nvd.nist.gov/vuln/detail/CVE-2023-31490 FRRouting/frr#13099

Signed-off-by: Narpat Mali [email protected] [Fixup so patch would apply] Signed-off-by: Armin Kuster [email protected]

jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/meta-openembedded that referenced this issue

Aug 9, 2023

Source: meta-openembedded MR: 127624 Type: Integration Disposition: Merged from meta-openembedded ChangeID: 8ab74be Description:

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

References: https://nvd.nist.gov/vuln/detail/CVE-2023-31490 FRRouting/frr#13099

Signed-off-by: Narpat Mali [email protected] [Fixup so patch would apply] Signed-off-by: Armin Kuster [email protected] Signed-off-by: Jeremy A. Puhlman [email protected]

Related news

Debian Security Advisory 5495-1

Debian Linux Security Advisory 5495-1 - Multiple vulnerabilities were discovered in frr, the FRRouting suite of internet protocols, while processing malformed requests and packets the BGP daemon may have reachable assertions, NULL pointer dereference, out-of-bounds memory access, which may lead to denial of service attack.

Ubuntu Security Notice USN-6323-1

Ubuntu Security Notice 6323-1 - Ben Cartwright-Cox discovered that FRR did not handle RFC 7606 attributes properly. A remote attacker could possibly use this to cause denial of service.

Ubuntu Security Notice USN-6136-1

Ubuntu Security Notice 6136-1 - It was discovered that FRR incorrectly handled parsing certain BGP messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service. This issue only affected Ubuntu 23.04. It was discovered that FRR incorrectly handled parsing certain BGP messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907