Headline
CVE-2023-31490: bgpd: Missing length check in bgp_attr_psid_sub about BGP_PREFIX_SID_SRV6_L3_SERVICE · Issue #13099 · FRRouting/frr
An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Describe the bug
- Did you check if this is a duplicate issue?
- Did you test it on the latest FRRouting/frr master branch?
Hello, I have find a bug in bgp_attr_psid_sub, there is a missing check of the type = BGP_PREFIX_SID_SRV6_L3_SERVICE when using stream_getc to get reseverd field.
/* Placeholder code for the SRv6 L3 Service type */
else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
if (STREAM_READABLE(peer->curr) < length) {
flog_err(
EC_BGP_ATTR_LEN,
"Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
length, STREAM_READABLE(peer->curr));
return bgp_attr_malformed(args,
BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
args->total);
}
/* ignore reserved */
stream_getc(peer->curr);
To Reproduce
When I construct a psid_sub TLV, Type = 5 and Length = 0, Frrouting will crash.
Expected behavior
Screenshots
Versions
OS Version:
Kernel:
FRR Version:
Additional context
I pushed a PR for this back in December but it’s been stalled due to me being busy with some other stuff
#12454
I’ll get back to it today and get this in
Describe the bug
- Did you check if this is a duplicate issue?
- Did you test it on the latest FRRouting/frr master branch?
Hello, I have find a bug in bgp_attr_psid_sub, there is a missing check of the type = BGP_PREFIX_SID_SRV6_L3_SERVICE when using stream_getc to get reseverd field.
/* Placeholder code for the SRv6 L3 Service type */ else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) { if (STREAM_READABLE(peer->curr) < length) { flog_err( EC_BGP_ATTR_LEN, "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain", length, STREAM_READABLE(peer->curr)); return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, args->total); } /* ignore reserved */ stream_getc(peer->curr);
To Reproduce
When I construct a psid_sub TLV, Type = 5 and Length = 0, Frrouting will crash. Expected behavior
Screenshots
Versions
OS Version:
Kernel:
FRR Version:
Additional context
Hi Melissa,
Could you please share with us on how to construct a message that can reproduce this crash?
I tried to use scappy but I’m not sure how to construct such a message.
Thank you!
can you share the PoC and the bgp configuration? thanks!
halstead pushed a commit to openembedded/meta-openembedded that referenced this issue
Jul 31, 2023
An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.
References: https://nvd.nist.gov/vuln/detail/CVE-2023-31490 FRRouting/frr#13099
Signed-off-by: Narpat Mali [email protected] [Fixup so patch would apply] Signed-off-by: Armin Kuster [email protected]
jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/meta-openembedded that referenced this issue
Aug 9, 2023
Source: meta-openembedded MR: 127624 Type: Integration Disposition: Merged from meta-openembedded ChangeID: 8ab74be Description:
An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.
References: https://nvd.nist.gov/vuln/detail/CVE-2023-31490 FRRouting/frr#13099
Signed-off-by: Narpat Mali [email protected] [Fixup so patch would apply] Signed-off-by: Armin Kuster [email protected] Signed-off-by: Jeremy A. Puhlman [email protected]
Related news
Debian Linux Security Advisory 5495-1 - Multiple vulnerabilities were discovered in frr, the FRRouting suite of internet protocols, while processing malformed requests and packets the BGP daemon may have reachable assertions, NULL pointer dereference, out-of-bounds memory access, which may lead to denial of service attack.
Ubuntu Security Notice 6323-1 - Ben Cartwright-Cox discovered that FRR did not handle RFC 7606 attributes properly. A remote attacker could possibly use this to cause denial of service.
Ubuntu Security Notice 6136-1 - It was discovered that FRR incorrectly handled parsing certain BGP messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service. This issue only affected Ubuntu 23.04. It was discovered that FRR incorrectly handled parsing certain BGP messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.