A flaw was found in the networking subsystem of the Linux kernel within the handling of the RPL protocol. This issue results from the lack of proper handling of user-supplied data, which can lead to an assertion failure. This may allow an unauthenticated remote attacker to create a denial of service condition on the system.

01/26/22 – ZDI reported the vulnerability to the vendor.

02/02/22 – The vendor acknowledged the report.

08/24/22 – ZDI asked for an update.

08/24/22 – The vendor asked for additional details about the vulnerability.

09/19/22 – The vendor states that there is a patch, but the ZDI informed the vendor that the bug is still triggerable on the latest mainline.

10/05/22 – ZDI provided additional details.

10/07/22 – The vendor states there is a new patch, but the ZDI was able to reproduce the vulnerability on the latest mainline.

10/26/22 – The vendor informed the ZDI that they would continue to investigate.

04/12/23 – ZDI asked for an update.

04/14/23 – The vendor informed the ZDI that a new patch would merge into the latest mainline on 04/21/2023.

04/21/23 – The original finder reports to the vendor that the patch may not work, and it was confirmed by the ZDI that the vulnerability is reproducible on the latest mainline.

05/02/23 – The ZDI informed the vendor that the case will be published as a zero-day advisory on 05/04/23, and in coordination with Red Hat this vulnerability will be assigned CVE-2023-2156.

\-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.

CVE-2023-2156: ZDI-23-547

Server for NFS Denial of Service Vulnerability

CVE-2023-24939

Microsoft Access Denial of Service Vulnerability

CVE-2023-29333

Remote Procedure Call Runtime Denial of Service Vulnerability

CVE-2023-24942

Windows SMB Denial of Service Vulnerability

CVE-2023-24898

Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability

CVE-2023-24940

U.S. authorities have announced the seizure of 13 internet domains that offered DDoS-for-hire services to other criminal actors.
The takedown is part of an ongoing international initiative dubbed Operation PowerOFF that's aimed at dismantling criminal DDoS-for-hire infrastructures worldwide.
The development comes almost five months after a "sweep" in December 2022 dismantled 48 similar services

Cyber Crime / DDoS Attack

U.S. authorities have announced the seizure of 13 internet domains that offered DDoS-for-hire services to other criminal actors.

The takedown is part of an ongoing international initiative dubbed Operation PowerOFF that's aimed at dismantling criminal DDoS-for-hire infrastructures worldwide.

The development comes almost five months after a "sweep" in December 2022 dismantled 48 similar services for abetting paying users to launch distributed denial-of-service (DDoS) attacks against targets of interest.

This includes school districts, universities, financial institutions, and government websites, according to the U.S. Department of Justice (DoJ).

Ten of the 13 illicit domains seized are "reincarnations" of booter or stresser services that were previously shuttered towards the end of last year.

"In recent years, booter services have continued to proliferate, as they offer a low barrier to entry for users looking to engage in cybercriminal activity," DoJ said in a press release on Monday.

"In addition to harming victims by disrupting or degrading access to the internet, attacks from booter services can also completely sever internet connections for other customers served by the same internet service provider via a shared connection point."

Parallel to the domain seizures, the DoJ also said that four of the six individuals who were charged in December 2022 in connection with operating the services have entered into a guilty plea.

The defendants – Jeremiah Sam Evans Miller, 23, of San Antonio, Texas; Angel Manuel Colon Jr., 37, of Belleview, Florida; Shamar Shattock, 19, of Margate, Florida; and Cory Anthony Palmer, 23, of Lauderhill, Florida – are expected to be sentenced later this year.

**Try2Check Card-Checking Service Goes Down**

The announcement comes days after the disruption of Try2Check (aka Try2Services) following a decade-long investigation, an illegal online platform that enabled threat actors to check the status of stolen credit card numbers in their possession and determine if they were valid and active.

The DoJ also charged a 43-year-old Russian national, Denis Gennadievich Kulkov, for his role in creating and turning the service into a "primary tool of the illicit credit card trade," with the State Department offering a $10 million reward for information leading to his arrest.

The department is further extending a separate bounty of up to $1 million for any specifics that will help to identify other key leaders of the Try2Check cybercrime group.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The fraudulent platform, per the indictment, allegedly misused the systems of a prominent U.S.-based payment processing firm to perform the card checks by exploiting its preauthorization service. The name of the company was not disclosed.

Try2Check, which launched in 2005, is estimated to have processed tens of millions of credit card checks every year and facilitated the operations of several major card shops like Joker's Stash that specialized in bulk trafficking of stolen credit cards. As of February 2022, a single card check cost $0.20.

"Through the illegal operation of his websites, the defendant made at least $18 million in bitcoin (as well as an unknown amount through other payment systems), which he used to purchase a Ferrari, among other luxury items," the DoJ noted.

The indictment against Kulkov also arrives weeks after Denis Mihaqlovic Dubnikov, who pleaded guilty to charges of money laundering for the Ryuk ransomware gang earlier this year, was sentenced to time served and ordered to forfeit $2,000 in illegal profits.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Authorities Seize 13 Domains Offering Criminal DDoS-for-Hire Services

Buffer Overflow vulnerability found in Libtiff V.4.0.7 allows a local attacker to cause a denial of service via the tiffcp function in tiffcp.c.

CVE-2023-30086

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_capability_llgr() function.

**Describe the bug**

*   Did you check if this is a duplicate issue?
*   Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp\_capability\_llgr that it length check is wrong. In the draft document it has 7 bytes as shown in the following figure.

The capability value consists of zero or more tuples <AFI, SAFI,  
Flags, Long-lived Stale Time> as follows:

      +--------------------------------------------------+
      | Address Family Identifier (16 bits)              |
      +--------------------------------------------------+
      | Subsequent Address Family Identifier (8 bits)    |
      +--------------------------------------------------+
      | Flags for Address Family (8 bits)                |
      +--------------------------------------------------+
      | Long-lived Stale Time (24 bits)                  |
      +--------------------------------------------------+
    

While, in the code it only check 4 bytes.

    while (stream_get_getp(s) + 4 <= end) {
    	afi_t afi;
    	safi_t safi;
    	iana_afi_t pkt_afi = stream_getw(s);
    	iana_safi_t pkt_safi = stream_getc(s);
    	uint8_t flags = stream_getc(s);
    	uint32_t stale_time = stream_get3(s);
    
       }
    

**To Reproduce**  
If I construct a packet only has 6 bytes of the llgr, the frrrouting will crash.

BGP: in thread bgp\_process\_packet scheduled from bgpd/bgp\_io.c:269 bgp\_process\_reads()  
core\_handler: showing active allocations in memory group libfrr  
core\_handler: memstats: Buffer : 2 \* 24  
core\_handler: memstats: Host config : 8 \* (variably sized)  
core\_handler: memstats: Command Tokens : 12082 \* 72  
core\_handler: memstats: Command Token Text : 8746 \* (variably sized)  
core\_handler: memstats: Command Token Help : 8746 \* (variably sized)  
core\_handler: memstats: Command Argument Name : 2052 \* (variably sized)  
core\_handler: memstats: RCU thread : 2 \* 128  
core\_handler: memstats: FRR POSIX Thread : 4 \* (variably sized)  
core\_handler: memstats: POSIX sync primitives : 4 \* (variably sized)  
core\_handler: memstats: Graph : 40 \* 8  
core\_handler: memstats: Graph Node : 14266 \* 32  
core\_handler: memstats: Hash : 573 \* (variably sized)  
core\_handler: memstats: Hash Bucket : 2340 \* 32  
core\_handler: memstats: Hash Index : 287 \* (variably sized)  
core\_handler: memstats: Link List : 36 \* 40  
core\_handler: memstats: Link Node : 334 \* 24  
core\_handler: memstats: Temporary memory : 15 \* (variably sized)  
core\_handler: memstats: Bitfield memory : 2 \* (variably sized)  
core\_handler: memstats: Northbound Node : 240 \* 1192  
core\_handler: memstats: Northbound Configuration : 2 \* 16  
core\_handler: memstats: Privilege information : 3 \* (variably sized)  
core\_handler: memstats: Ring buffer : 6 \* (variably sized)  
core\_handler: memstats: Skip List : 2 \* 56  
core\_handler: memstats: Skip Node : 2 \* 160  
core\_handler: memstats: Skiplist Counters : 2 \* 68  
core\_handler: memstats: Socket union : 2 \* 112  
core\_handler: memstats: Stream : 12 \* (variably sized)  
core\_handler: memstats: Stream FIFO : 6 \* 64  
core\_handler: memstats: Route table : 100 \* 56  
core\_handler: memstats: Thread : 15 \* 160  
core\_handler: memstats: Thread master : 12 \* (variably sized)  
core\_handler: memstats: Thread Poll Info : 6 \* 8388608  
core\_handler: memstats: Thread stats : 18 \* 96  
core\_handler: memstats: Typed-hash bucket : 5 \* (variably sized)  
core\_handler: memstats: Typed-heap array : 1 \* 576  
core\_handler: memstats: Vector : 28613 \* 24  
core\_handler: memstats: Vector index : 28613 \* (variably sized)  
core\_handler: memstats: VRF : 1 \* 216  
core\_handler: memstats: VTY server : 3 \* 32  
core\_handler: memstats: Work queue : 3 \* 152  
core\_handler: memstats: Work queue name string : 3 \* (variably sized)  
core\_handler: memstats: YANG module : 5 \* 48  
core\_handler: memstats: Zclient : 2 \* 3144  
core\_handler: memstats: Redistribution instance IDs : 6 \* 2  
core\_handler: memstats: log thread-local buffer : 2 \* 24608  
core\_handler: showing active allocations in memory group logging subsystem  
core\_handler: memstats: log file target : 2 \* 88  
core\_handler: memstats: log file name : 1 \* 14  
core\_handler: showing active allocations in memory group bgpd  
core\_handler: memstats: BGP instance : 2 \* (variably sized)  
core\_handler: memstats: BGP listen socket details : 2 \* 144  
core\_handler: memstats: BGP peer : 3 \* 740824  
core\_handler: memstats: BGP peer hostname : 4 \* (variably sized)  
core\_handler: memstats: BGP peer af : 2 \* 80  
core\_handler: memstats: BGP attribute : 1 \* 312  
core\_handler: memstats: BGP aspath : 1 \* 40  
core\_handler: memstats: BGP aspath str : 1 \* 1  
core\_handler: memstats: BGP table : 87 \* 56  
core\_handler: memstats: BGP node : 2 \* 192  
core\_handler: memstats: BGP route : 1 \* 112  
core\_handler: memstats: BGP static : 1 \* 144  
core\_handler: memstats: BGP synchronise : 63 \* 72  
core\_handler: memstats: community-list handler : 1 \* 120  
core\_handler: memstats: BGP nexthop : 1 \* 184  
core\_handler: memstats: BGP EVPN MH Information : 1 \* 56  
core\_handler: memstats: BGP PBR Context : 1 \* 32  
core\_handler: memstats: BGP EVPN instance information : 1 \* 56  
core\_handler: showing active allocations in memory group rfapi  
core\_handler: memstats: NVE Configuration : 1 \* 2984  
core\_handler: memstats: RFAPI Generic : 1 \* 296  
core\_handler: memstats: RFAPI Import Table : 1 \* 208  
Aborted (core dumped)

**Expected behavior**

**Screenshots**

**Versions**

*   OS Version:

*   Kernel:

*   FRR Version:

**Additional context**

CVE-2023-31489: bgpd: the length check of bgp_capability_llgr is not correct · Issue #13098 · FRRouting/frr

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**Describe the bug**

*   Did you check if this is a duplicate issue?
*   Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp\_attr\_psid\_sub, there is a missing check of the type = BGP\_PREFIX\_SID\_SRV6\_L3\_SERVICE when using stream\_getc to get reseverd field.

    /* Placeholder code for the SRv6 L3 Service type */
    else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
    	if (STREAM_READABLE(peer->curr) < length) {
    		flog_err(
    			EC_BGP_ATTR_LEN,
    			"Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
    			length, STREAM_READABLE(peer->curr));
    		return bgp_attr_malformed(args,
    			 BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
    			 args->total);
    	}
    
    	/* ignore reserved */
    	stream_getc(peer->curr);
    

**To Reproduce**

When I construct a psid\_sub TLV, Type = 5 and Length = 0, Frrouting will crash.  
**Expected behavior**

**Screenshots**

**Versions**

*   OS Version:

*   Kernel:

*   FRR Version:

**Additional context**

I pushed a PR for this back in December but it's been stalled due to me being busy with some other stuff  
#12454

I'll get back to it today and get this in

> **Describe the bug**
> 
> *   Did you check if this is a duplicate issue?
> *   Did you test it on the latest FRRouting/frr master branch?
> 
> Hello, I have find a bug in bgp\_attr\_psid\_sub, there is a missing check of the type = BGP\_PREFIX\_SID\_SRV6\_L3\_SERVICE when using stream\_getc to get reseverd field.
> 
>     /* Placeholder code for the SRv6 L3 Service type */
>     else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
>     	if (STREAM_READABLE(peer->curr) < length) {
>     		flog_err(
>     			EC_BGP_ATTR_LEN,
>     			"Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
>     			length, STREAM_READABLE(peer->curr));
>     		return bgp_attr_malformed(args,
>     			 BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
>     			 args->total);
>     	}
>     
>     	/* ignore reserved */
>     	stream_getc(peer->curr);
>     
> 
> **To Reproduce**
> 
> When I construct a psid\_sub TLV, Type = 5 and Length = 0, Frrouting will crash. **Expected behavior**
> 
> **Screenshots**
> 
> **Versions**
> 
> *   OS Version:
>     
> *   Kernel:
>     
> *   FRR Version:
>     
> 
> **Additional context**

Hi Melissa,

Could you please share with us on how to construct a message that can reproduce this crash?

I tried to use scappy but I'm not sure how to construct such a message.

Thank you!

can you share the PoC and the bgp configuration? thanks!

halstead pushed a commit to openembedded/meta-openembedded that referenced this issue

Jul 31, 2023

 

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to
cause a denial of service via the bgp\_attr\_psid\_sub() function.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31490
FRRouting/frr#13099

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
\[Fixup so patch would apply\]
Signed-off-by: Armin Kuster <akuster808@gmail.com>

jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/meta-openembedded that referenced this issue

Aug 9, 2023

 

Source: meta-openembedded
MR: 127624
Type: Integration
Disposition: Merged from meta-openembedded
ChangeID: 8ab74be
Description:

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to
cause a denial of service via the bgp\_attr\_psid\_sub() function.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31490
FRRouting/frr#13099

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
\[Fixup so patch would apply\]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>

Tag

#dos