CVE-2023-41361: Uncovering the Vulnerability in FRRouting FRR 9. - Exploiting the unchecked Length of the RCV Software Version

CVE-2023-41361 refers to a security vulnerability discovered in FRRouting FRR 9., a widely used, open-source, IP routing protocol suite. This post will delve into the specifics of the issue while providing code snippets, original references, and details of the exploit.

The Problem

An issue was identified in FRRouting FRR 9., where bgpd/bgp_open.c does not check for an overly large length of the rcv software version. To better understand the impact of this vulnerability, it is crucial to understand certain aspects of the FRRouting FRR 9. software and its components.

FRRouting (FRR) is an IP routing protocol suite that provides support for protocols such as BGP, OSPF, RIP, and many others. It plays an essential role in enabling routers to communicate with each other to route traffic efficiently across the internet.

The problem lies within the bgpd module, which is responsible for handling the BGP (Border Gateway Protocol) component of FRR. BGP is an essential protocol for routers on the internet to share routing information, making it a critical target for attackers looking to manipulate or disrupt traffic flows.

The Crux of the Issue

The vulnerability exists within the bgpd/bgp_open.c file, specifically in the way the software handles BGP 'open' messages. Here's a code snippet illustrating the problem:

/* Parse open message in BGP packet */
static int
bgp_open_parse (struct peer *peer, bgp_size_t size)
{
    ...
    /* Here, software_version_length is not checked */
    bgp_open_optional (peer, &optlen, &data, &software_version_length);
    ...
}

As seen in the code snippet, the bgp_open_parse() function handles parsing the received BGP open message. The bgp_open_optional() function sets the software_version_length variable, but the crucial issue is that there is no check to ensure that the value isn't overly large.

Exploiting the Vulnerability

An attacker could craft a malicious BGP open message with a large software_version_length value, resulting in a buffer overflow condition. By carefully controlling the data that overflows, an attacker could cause a remote execution of arbitrary code or crash the bgpd process, effectively causing a denial-of-service (DoS) situation.

This vulnerability has the potential to cause severe disruption and security issues in networks using FRRouting FRR 9., as BGP is a critical component in IP routing on the internet.

Official References and Further Reading

1. The official CVE entry for this vulnerability can be accessed at the National Vulnerability Database.
2. More information about the FRRouting project can be found at the Official FRRouting GitHub Repository.
3. Details about the BGP protocol can be found in the RFC4271 document.

Conclusion

CVE-2023-41361 is a significant vulnerability within FRRouting FRR 9., as it exposes networks to potential disruptions and security issues due to exploitation of the unchecked software_version_length. It is essential for security researchers and network administrators to be aware of this issue and to ensure that they are running up-to-date versions of the software, including any patches or fixes addressing this vulnerability.

Timeline

Published on: 08/29/2023 04:15:17 UTC
Last modified on: 10/26/2023 19:52:51 UTC