Login Sign Up

CVE-2023-41359

9.1 CRITICAL
Denial of Service

📋 TL;DR

CVE-2023-41359 is an out-of-bounds read vulnerability in FRRouting FRR's BGP daemon that occurs during AIGP attribute validation. Attackers could exploit this to cause denial of service or potentially leak sensitive memory contents. Organizations running FRR for BGP routing are affected.

💻 Affected Systems

Products:
  • FRRouting FRR
Versions: All versions through 9.0
Operating Systems: Linux, FreeBSD, Other Unix-like systems running FRR
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with BGP enabled and AIGP attribute processing.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Frrouting by Frrouting

View all CVEs affecting Frrouting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, though this requires specific memory layout conditions.

🟠

Likely Case

Denial of service through BGP daemon crash, disrupting network routing.

🟢

If Mitigated

Limited impact with proper network segmentation and BGP session filtering.

🌐 Internet-Facing: HIGH - BGP peers are typically internet-facing and unauthenticated exploitation is possible.
🏢 Internal Only: MEDIUM - Internal BGP sessions could still be exploited by compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted BGP packets with AIGP attributes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.1 and later, or apply commit from PR #14232

Vendor Advisory: https://github.com/FRRouting/frr/pull/14232

Restart Required: Yes

Instructions:

1. Update FRR to version 9.0.1 or later. 2. Restart bgpd service: 'systemctl restart frr' or 'service frr restart'. 3. Verify BGP sessions re-establish.

🔧 Temporary Workarounds

Filter AIGP attributes

linux

Use BGP route-maps to filter or reject routes containing AIGP attributes

route-map FILTER-AIGP deny 10
match aigp
route-map FILTER-AIGP permit 20
neighbor <peer> route-map FILTER-AIGP in

🧯 If You Can't Patch

  • Implement strict BGP session filtering to trusted peers only
  • Deploy network-based intrusion detection to monitor for anomalous BGP packets

🔍 How to Verify

Check if Vulnerable:

Check FRR version: 'frr --version' or 'vtysh -c 'show version''. If version is 9.0 or earlier, system is vulnerable.

Check Version:

frr --version

Verify Fix Applied:

Verify FRR version is 9.0.1 or later, and check that BGP sessions are stable after applying patch.

📡 Detection & Monitoring

Log Indicators:

  • BGP daemon crashes
  • Segmentation fault errors in frr logs
  • Unexpected BGP session resets

Network Indicators:

  • Malformed BGP packets with AIGP attributes
  • Unusual BGP update patterns

SIEM Query:

source="frr.log" AND ("segmentation fault" OR "crash" OR "bgpd terminated")

📊 Metadata

CVE ID: CVE-2023-41359
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-125
Published: August 29, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41359, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)