Security
Headlines
HeadlinesLatestCVEs

Headline

Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software

Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. It’s currently used by several

The Hacker News
#vulnerability#web#ios#linux#cisco#dos#git#auth#The Hacker News

Network Security / Vulnerability

Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers.

The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. It’s currently used by several vendors like NVIDIA Cumulus, DENT, and SONiC, posing supply chain risks.

The discovery is the result of an analysis of seven different implementations of BGP carried out by Forescout Vedere Labs: FRRouting, BIRD, OpenBGPd, Mikrotik RouterOS, Juniper JunOS, Cisco IOS, and Arista EOS.

BGP is a gateway protocol that’s designed to exchange routing and reachability information between autonomous systems. It’s used to find the most efficient routes for delivering internet traffic.

The list of three flaws is as follows -

  • CVE-2022-40302 (CVSS score: 6.5) - Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option.
  • CVE-2022-40318 (CVSS score: 6.5) - Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option.
  • CVE-2022-43681 (CVSS score: 6.5) - Out-of-bounds read when processing a malformed BGP OPEN message that abruptly ends with the option length octet.

The issues “could be exploited by attackers to achieve a DoS condition on vulnerable BGP peers, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive,” the company said in a report shared with The Hacker News.

“The DoS condition may be prolonged indefinitely by repeatedly sending malformed packets. The main root cause is the same vulnerable code pattern copied into several functions related to different stages of parsing OPEN messages.”

A threat actor could spoof a valid IP address of a trusted BGP peer or exploit other flaws and misconfigurations to compromise a legitimate peer and then issue a specially-crafted unsolicited BGP OPEN message.

This is achieved by taking advantage of the fact that “FRRouting begins to process OPEN messages (e.g., decapsulating optional parameters) before it gets a chance to verify the BGP Identifier and ASN fields of the originating router.”

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Forescout has also made available an open source tool called bgp_boofuzzer that allows organizations to test the security of the BGP suites used internally as well as find new flaws in BGP implementations.

“Modern BGP implementations still have low-hanging fruits that can be abused by attackers,” Forescout said. “To mitigate the risk of vulnerable BGP implementations, […] the best recommendation is to patch network infrastructure devices as often as possible.”

The findings come weeks after ESET found that secondhand routers previously used in business networking environments harbored sensitive data, including corporate credentials, VPN details, cryptographic keys, and other vital customer information.

“In the wrong hands, the data gleaned from the devices – including customer data, router-to-router authentication keys, application lists, and much more – is enough to launch a cyberattack,” the Slovak cybersecurity firm said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Debian Security Advisory 5495-1

Debian Linux Security Advisory 5495-1 - Multiple vulnerabilities were discovered in frr, the FRRouting suite of internet protocols, while processing malformed requests and packets the BGP daemon may have reachable assertions, NULL pointer dereference, out-of-bounds memory access, which may lead to denial of service attack.

CVE-2022-40302: Releases · FRRouting/frr

An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case.

CVE-2022-43681: Forescout – Automated Cybersecurity Across Your Digital Terrain

An out-of-bounds read exists in the BGP daemon of FRRouting FRR through 8.4. When sending a malformed BGP OPEN message that ends with the option length octet (or the option length word, in case of an extended OPEN message), the FRR code reads of out of the bounds of the packet, throwing a SIGABRT signal and exiting. This results in a bgpd daemon restart, causing a Denial-of-Service condition.