CVE-2023-38406
📋 TL;DR
CVE-2023-38406 is a critical buffer overflow vulnerability in FRRouting's BGP flowspec component that allows remote attackers to execute arbitrary code or cause denial of service. The vulnerability occurs when processing BGP flowspec NLRI packets with zero length, leading to improper memory handling. Organizations using FRRouting for network routing are affected.
💻 Affected Systems
- FRRouting (FRR)
📦 What is this software?
Frrouting by Frrouting
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with root privileges leading to complete system compromise, network disruption, and potential lateral movement across infrastructure.
Likely Case
Denial of service causing BGP session termination and network instability, potentially leading to routing blackholes.
If Mitigated
Limited impact with proper network segmentation and BGP session filtering, potentially only causing service restart.
🎯 Exploit Status
Exploitation requires BGP session establishment but no authentication beyond standard BGP peer relationships.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.4.3 and later
Vendor Advisory: https://github.com/FRRouting/frr/security/advisories
Restart Required: Yes
Instructions:
1. Backup current FRR configuration. 2. Stop FRR service: 'systemctl stop frr'. 3. Upgrade FRR to version 8.4.3 or later using package manager. 4. Restart FRR service: 'systemctl start frr'. 5. Verify BGP sessions re-establish.
🔧 Temporary Workarounds
Disable BGP Flowspec
linuxDisable BGP flowspec feature to prevent processing of vulnerable packet types.
vtysh
configure terminal
router bgp <AS>
no bgp flowspec
end
write memory
Filter BGP Flowspec NLRI
linuxUse route-maps to filter flowspec NLRI from BGP peers.
vtysh
configure terminal
route-map FILTER-FLOWSPEC deny 10
match nlri flowspec
router bgp <AS>
neighbor <IP> route-map FILTER-FLOWSPEC in
end
write memory
🧯 If You Can't Patch
- Implement strict BGP peer filtering to only allow trusted peers
- Deploy network-based intrusion detection to monitor for anomalous BGP flowspec traffic
🔍 How to Verify
Check if Vulnerable:
Check FRR version with: 'frr --version' or 'vtysh -v'. If version is below 8.4.3 and BGP flowspec is enabled, system is vulnerable.Check Version:
frr --versionVerify Fix Applied:
After patching, verify version is 8.4.3 or higher with: 'frr --version'. Confirm BGP sessions remain stable.📡 Detection & Monitoring
Log Indicators:
- FRR crash logs
- BGP session resets
- Memory corruption errors in syslog
Network Indicators:
- Unusual BGP flowspec traffic
- BGP UPDATE messages with zero-length NLRI
SIEM Query:
source="frr.log" AND ("crash" OR "segmentation fault" OR "buffer overflow")🔗 References
- https://github.com/FRRouting/frr/compare/frr-8.4.2...frr-8.4.3
- https://github.com/FRRouting/frr/pull/12884
- https://lists.debian.org/debian-lts-announce/2024/04/msg00019.html
- https://github.com/FRRouting/frr/compare/frr-8.4.2...frr-8.4.3
- https://github.com/FRRouting/frr/pull/12884
- https://lists.debian.org/debian-lts-announce/2024/04/msg00019.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00007.html
