Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 913242 (CVE-2023-3748, CVE-2023-38802, CVE-2023-41358, CVE-2023-41359, CVE-2023-41360, CVE-2023-41361, CVE-2023-41909, CVE-2023-46752, CVE-2023-46753)

Summary: net-misc/frr: multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: alarig, jaco, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
See Also: https://github.com/FRRouting/frr/issues/14289
https://github.com/FRRouting/frr/pull/14290
https://github.com/gentoo/gentoo/pull/33752
Whiteboard: B3 [upstream/ebuild]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-30 07:11:30 UTC
See https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling and https://github.com/advisories/GHSA-xh4f-v933-c556.

No fix yet.

"""
FRR Impact (and other downstream vendors)

FRR attempts to handle bad attributes using RFC 7606 behaviour. However the fuzzer discovered that a corrupted attribute 23 (Tunnel Encapsulation) will cause a session to go down regardless.

After reporting this bug to FRR maintainers I received an acknowledgement of the issue and understanding that the issue is a DoS risk to FRR users, but I have not managed to get anything out of FRR since.

This bug is being tracked as CVE-2023-38802 and at the time of writing has no patch or fix.

FRR is packaged inside many other products, to name a few: SONIC, PICA8, Cumulus, and DANOS.
"""
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-30 03:17:11 UTC
CVE-2023-46752 (https://github.com/FRRouting/frr/pull/14645/commits/b08afc81c60607a4f736f418f2e3eb06087f1a35):

An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash.

9.0 patch: https://github.com/FRRouting/frr/commit/d5d6be1d854f4d26a181abc152b0f3859076af3d

CVE-2023-46753 (https://github.com/FRRouting/frr/pull/14645/commits/d8482bf011cb2b173e85b65b4bf3d5061250cdb9):

An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.

9.0 patch: https://github.com/FRRouting/frr/commit/d5d6be1d854f4d26a181abc152b0f3859076af3d

CVE-2023-41909 (https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8):

An issue was discovered in FRRouting FRR through 9.0. bgp_nlri_parse_flowspec in bgpd/bgp_flowspec.c processes malformed requests with no attributes, leading to a NULL pointer dereference.

"through 9.0" but it seems like the patch made it in long before 9.0 was even released?

CVE-2023-41361 (https://github.com/FRRouting/frr/pull/14241):

An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not check for an overly large length of the rcv software version.

9.0 Patch: https://github.com/FRRouting/frr/commit/d8238e90ab8380955a057ef036caa811ab572092

CVE-2023-41359 (https://github.com/FRRouting/frr/pull/14232):

An issue was discovered in FRRouting FRR through 9.0. There is an out-of-bounds read in bgp_attr_aigp_valid in bgpd/bgp_attr.c because there is no check for the availability of two bytes during AIGP validation.

9.0 Patch: https://github.com/FRRouting/frr/commit/f7575946c10c1ad10c9e99d71a7eb1e633d655b8

CVE-2023-41358 (https://github.com/FRRouting/frr/pull/14260):

An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c processes NLRIs if the attribute length is zero.

9.0 Patch: https://github.com/FRRouting/frr/commit/0c4d2fdbfd90bafadc1f6f25cf00e687672acc45

CVE-2023-41360 (https://github.com/FRRouting/frr/pull/14245):

An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c can read the initial byte of the ORF header in an ahead-of-stream situation.

9.0 patch: https://github.com/FRRouting/frr/commit/24660906b2228ff3239cccb5fd2cb4c52ddea62d

CVE-2023-3748 (https://bugzilla.redhat.com/show_bug.cgi?id=2223668):

A flaw was found in FRRouting when parsing certain babeld unicast hello messages that are intended to be ignored. This issue may allow an attacker to send specially crafted hello messages with the unicast flag set, the interval field set to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to enter an infinite loop and cause a denial of service.

Redhat's omitted any useful references but their bug references
https://github.com/FRRouting/frr/issues/11808 which in turn references
https://github.com/FRRouting/frr/pull/12950, which was in master
before 9.0 was released.

So.. all have patches or are already fixed.
Comment 3 Alarig Le Lay 2024-10-02 14:39:04 UTC
Hello,

Since https://github.com/gentoo/gentoo/pull/33752 have been merged, maybe we can close this bug?