See https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling and https://github.com/advisories/GHSA-xh4f-v933-c556. No fix yet. """ FRR Impact (and other downstream vendors) FRR attempts to handle bad attributes using RFC 7606 behaviour. However the fuzzer discovered that a corrupted attribute 23 (Tunnel Encapsulation) will cause a session to go down regardless. After reporting this bug to FRR maintainers I received an acknowledgement of the issue and understanding that the issue is a DoS risk to FRR users, but I have not managed to get anything out of FRR since. This bug is being tracked as CVE-2023-38802 and at the time of writing has no patch or fix. FRR is packaged inside many other products, to name a few: SONIC, PICA8, Cumulus, and DANOS. """
https://social.treehouse.systems/@benjojo@benjojo.co.uk/110972799363361853
CVE-2023-46752 (https://github.com/FRRouting/frr/pull/14645/commits/b08afc81c60607a4f736f418f2e3eb06087f1a35): An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash. 9.0 patch: https://github.com/FRRouting/frr/commit/d5d6be1d854f4d26a181abc152b0f3859076af3d CVE-2023-46753 (https://github.com/FRRouting/frr/pull/14645/commits/d8482bf011cb2b173e85b65b4bf3d5061250cdb9): An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute. 9.0 patch: https://github.com/FRRouting/frr/commit/d5d6be1d854f4d26a181abc152b0f3859076af3d CVE-2023-41909 (https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8): An issue was discovered in FRRouting FRR through 9.0. bgp_nlri_parse_flowspec in bgpd/bgp_flowspec.c processes malformed requests with no attributes, leading to a NULL pointer dereference. "through 9.0" but it seems like the patch made it in long before 9.0 was even released? CVE-2023-41361 (https://github.com/FRRouting/frr/pull/14241): An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not check for an overly large length of the rcv software version. 9.0 Patch: https://github.com/FRRouting/frr/commit/d8238e90ab8380955a057ef036caa811ab572092 CVE-2023-41359 (https://github.com/FRRouting/frr/pull/14232): An issue was discovered in FRRouting FRR through 9.0. There is an out-of-bounds read in bgp_attr_aigp_valid in bgpd/bgp_attr.c because there is no check for the availability of two bytes during AIGP validation. 9.0 Patch: https://github.com/FRRouting/frr/commit/f7575946c10c1ad10c9e99d71a7eb1e633d655b8 CVE-2023-41358 (https://github.com/FRRouting/frr/pull/14260): An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c processes NLRIs if the attribute length is zero. 9.0 Patch: https://github.com/FRRouting/frr/commit/0c4d2fdbfd90bafadc1f6f25cf00e687672acc45 CVE-2023-41360 (https://github.com/FRRouting/frr/pull/14245): An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation. 9.0 patch: https://github.com/FRRouting/frr/commit/24660906b2228ff3239cccb5fd2cb4c52ddea62d CVE-2023-3748 (https://bugzilla.redhat.com/show_bug.cgi?id=2223668): A flaw was found in FRRouting when parsing certain babeld unicast hello messages that are intended to be ignored. This issue may allow an attacker to send specially crafted hello messages with the unicast flag set, the interval field set to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to enter an infinite loop and cause a denial of service. Redhat's omitted any useful references but their bug references https://github.com/FRRouting/frr/issues/11808 which in turn references https://github.com/FRRouting/frr/pull/12950, which was in master before 9.0 was released. So.. all have patches or are already fixed.
