CVE-2023-41361 – CVE-2023-41361 is a buffer overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2023-41361?

CVE-2023-41361 has a CVSS score of 9.8 (CRITICAL). CVE-2023-41361 is a buffer overflow vulnerability in FRRouting's BGP daemon (bgpd) that occurs when processing BGP OPEN messages with overly large software version strings. Attackers can exploit this to execute arbitrary code or crash the bgpd process, potentially compromising routing infrastructure. Organizations running FRRouting with BGP enabled are affected.

📋 TL;DR

CVE-2023-41361 is a buffer overflow vulnerability in FRRouting's BGP daemon (bgpd) that occurs when processing BGP OPEN messages with overly large software version strings. Attackers can exploit this to execute arbitrary code or crash the bgpd process, potentially compromising routing infrastructure. Organizations running FRRouting with BGP enabled are affected.

💻 Affected Systems

Products:

FRRouting FRR

Versions: FRR 9.0

Operating Systems: Linux-based systems running FRR

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with bgpd enabled and configured for BGP peering. The vulnerability is triggered during BGP session establishment.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Frrouting by Frrouting

View all CVEs affecting Frrouting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete compromise of the routing daemon, enabling attackers to manipulate routing tables, intercept traffic, or pivot to other network segments.

🟠

Likely Case

Denial of service through bgpd process crash, disrupting BGP peering and causing network outages until service is restored.

🟢

If Mitigated

Limited impact if proper network segmentation and BGP session filtering are in place, potentially containing the attack to isolated segments.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a malicious BGP OPEN message, which can be done by any BGP peer or attacker who can establish a BGP session.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FRR 9.0.1 or later

Vendor Advisory: https://github.com/FRRouting/frr/pull/14241

Restart Required: Yes

Instructions:

1. Update FRR to version 9.0.1 or later using your distribution's package manager. 2. Restart the bgpd service: 'systemctl restart frr' or 'service frr restart'. 3. Verify the patch is applied by checking the FRR version.

🔧 Temporary Workarounds

BGP Session Filtering

linux

Implement strict BGP session filtering to only allow connections from trusted peers using access lists or firewall rules.

ip access-list standard TRUSTED_PEERS
permit host <trusted-peer-ip>
router bgp <as-number>
neighbor <trusted-peer-ip> remote-as <peer-as>
neighbor <trusted-peer-ip> prefix-list TRUSTED_PEERS in

🧯 If You Can't Patch

Implement strict network segmentation to isolate BGP-speaking devices from untrusted networks.
Deploy intrusion detection/prevention systems (IDS/IPS) to monitor for anomalous BGP traffic patterns.

🔍 How to Verify

Check if Vulnerable:

Check FRR version: 'frr --version' or 'vtysh -c 'show version''. If version is 9.0, the system is vulnerable.

Check Version:

frr --version

Verify Fix Applied:

After patching, verify the version is 9.0.1 or later using 'frr --version'. Also monitor bgpd logs for stability.

📡 Detection & Monitoring

Log Indicators:

bgpd process crashes in system logs
Unusual BGP session resets or failures in FRR logs

Network Indicators:

Abnormal BGP OPEN messages with large payloads
Sudden BGP session drops from specific peers

SIEM Query:

source="frr.log" AND "bgpd" AND ("crash" OR "segmentation fault" OR "buffer overflow")

📊 Metadata

CVE ID: CVE-2023-41361

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: August 29, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/FRRouting/frr/pull/14241 Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00020.html Mailing List,Third Party Advisory
https://github.com/FRRouting/frr/pull/14241 Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00020.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41361, you might also want to check these: