Login Sign Up

CVE-2023-38802

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows remote attackers to cause denial of service (DoS) in FRRouting and Pica8 PICOS systems by sending specially crafted BGP updates with corrupted Tunnel Encapsulation attributes. Attackers can crash BGP processes, disrupting network routing. Organizations running affected FRR or PICOS versions with BGP enabled are vulnerable.

💻 Affected Systems

Products:
  • FRRouting FRR
  • Pica8 PICOS
Versions: FRR 7.5.1 through 9.0, PICOS 4.3.3.2
Operating Systems: Linux-based systems running FRR, Pica8 network devices
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with BGP enabled and configured to accept BGP updates. Systems not running BGP or with BGP disabled are not vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Frrouting by Frrouting

View all CVEs affecting Frrouting →

Picos by Pica8

View all CVEs affecting Picos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete BGP process crash leading to widespread routing disruption, network outages, and potential cascading failures across interconnected networks.

🟠

Likely Case

Targeted BGP process crashes causing localized routing disruptions and requiring manual intervention to restart services.

🟢

If Mitigated

Minimal impact with proper network segmentation, BGP session filtering, and monitoring that can quickly detect and respond to anomalous BGP traffic.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending BGP packets to vulnerable systems, which is straightforward for attackers with network access to BGP peers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FRR 9.0.1 and later, PICOS updates as per vendor

Vendor Advisory: https://github.com/FRRouting/frr/releases

Restart Required: Yes

Instructions:

1. Update FRR to version 9.0.1 or later. 2. For PICOS, apply vendor-provided patches. 3. Restart BGP processes or reboot affected systems.

🔧 Temporary Workarounds

BGP Session Filtering

linux

Filter BGP sessions to only allow trusted peers and block unauthorized BGP updates.

# Configure BGP neighbor filtering in FRR
neighbor <IP> prefix-list FILTER_IN in
neighbor <IP> prefix-list FILTER_OUT out

Rate Limiting BGP Updates

linux

Implement rate limiting on BGP updates to reduce impact of malicious packets.

# Set BGP update rate limiting
router bgp <AS>
neighbor <IP> maximum-prefix <limit>

🧯 If You Can't Patch

  • Implement strict BGP peer filtering to only allow trusted, verified BGP sessions.
  • Deploy network monitoring to detect anomalous BGP traffic patterns and potential exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check FRR version with 'frr --version' or 'show version' in FRR CLI. If version is between 7.5.1 and 9.0 inclusive, system is vulnerable.

Check Version:

frr --version

Verify Fix Applied:

Verify FRR version is 9.0.1 or later. Test BGP stability by monitoring process uptime and checking for crashes after receiving BGP updates.

📡 Detection & Monitoring

Log Indicators:

  • BGP process crashes in system logs
  • Unexpected BGP session resets
  • Error messages related to Tunnel Encapsulation attribute parsing

Network Indicators:

  • Unusual BGP update patterns from untrusted sources
  • BGP packets with malformed Tunnel Encapsulation attributes

SIEM Query:

source="*syslog*" AND ("bgpd crashed" OR "BGP process terminated unexpectedly" OR "attribute 23 error")

📊 Metadata

CVE ID: CVE-2023-38802
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-354
Published: August 29, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38802, you might also want to check these:

CVE-2025-11543 9.8

This vulnerability allows attackers to bypass integrity checks and install unauthorized firmware on ...

Same vulnerability type (CWE-354)
CVE-2024-25678 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) Library involves mishandled DCID (Destination Connecti...

Same vulnerability type (CWE-354)
CVE-2025-54887 9.1

This vulnerability in the Ruby JWE library allows attackers to brute-force authentication tags in en...

Same vulnerability type (CWE-354)