Login Sign Up

CVE-2023-31490

7.5 HIGH
Denial of Service

📋 TL;DR

A vulnerability in FRRouting's BGP daemon (bgpd) allows remote attackers to cause denial of service by sending specially crafted BGP packets that trigger a flaw in the bgp_attr_psid_sub() function. This affects organizations running FRRouting for BGP routing. The vulnerability can be exploited by any remote BGP peer.

💻 Affected Systems

Products:
  • FRRouting (FRR)
Versions: Version 8.4.2 specifically mentioned; earlier versions may also be affected but not confirmed
Operating Systems: Linux distributions including Debian, Fedora, and others that package FRRouting
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with BGP enabled and configured. The vulnerability is triggered when processing specific BGP attributes.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Frrouting by Frrouting

View all CVEs affecting Frrouting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete BGP routing disruption causing network outages and loss of connectivity for all routes handled by the affected FRRouting instance.

🟠

Likely Case

BGP daemon crash requiring manual restart, causing temporary routing instability and potential packet loss until service is restored.

🟢

If Mitigated

Limited impact with proper BGP session filtering and network segmentation, potentially affecting only isolated routing domains.

🌐 Internet-Facing: HIGH - BGP peers on the internet can directly exploit this vulnerability if they have established BGP sessions with the vulnerable system.
🏢 Internal Only: MEDIUM - Internal BGP peers can exploit this, but internal networks typically have more controls and monitoring than internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW - Requires sending specially crafted BGP packets, which is straightforward for attackers with BGP session access.

Exploitation requires the ability to send BGP packets to the vulnerable system, typically meaning established BGP peering relationships.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FRRouting versions after 8.4.2; check specific distribution patches

Vendor Advisory: https://github.com/FRRouting/frr/issues/13099

Restart Required: Yes

Instructions:

1. Update FRRouting to patched version via package manager. 2. For Debian: apt update && apt upgrade frr. 3. For Fedora: dnf update frr. 4. Restart FRRouting service: systemctl restart frr

🔧 Temporary Workarounds

BGP Session Filtering

linux

Restrict BGP sessions to trusted peers only using access control lists and prefix filtering

vtysh -c 'configure terminal' -c 'router bgp <ASN>' -c 'neighbor <IP> prefix-list <LIST> in'

Disable PSID Processing

linux

If PSID (Path Segment Identifier) functionality is not required, disable related BGP extensions

vtysh -c 'configure terminal' -c 'router bgp <ASN>' -c 'no bgp additional-paths send receive'

🧯 If You Can't Patch

  • Implement strict BGP session filtering to only allow connections from trusted, verified peers
  • Deploy network monitoring and alerting for BGP daemon crashes or unusual BGP traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check FRRouting version: frr --version | grep -i version. If version is 8.4.2 or potentially earlier, system may be vulnerable.

Check Version:

frr --version | grep -i version || dpkg -l | grep frr || rpm -qa | grep frr

Verify Fix Applied:

Verify updated version: frr --version. Check that version is newer than 8.4.2. Monitor BGP sessions for stability after patch.

📡 Detection & Monitoring

Log Indicators:

  • FRRouting daemon crash logs in /var/log/frr/bgpd.log
  • Unexpected BGP session resets
  • Core dumps from bgpd process

Network Indicators:

  • Unusual BGP UPDATE messages containing PSID attributes
  • Sudden BGP session drops from specific peers
  • Increased BGP error messages in network traffic

SIEM Query:

process:name="bgpd" AND (event:type="crash" OR exit_code!=0) OR log_source:"frr" AND message:"segmentation fault" OR "bgp_attr_psid_sub"

📊 Metadata

CVE ID: CVE-2023-31490
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: May 9, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON