CVE-2023-41909
📋 TL;DR
This vulnerability in FRRouting FRR allows remote attackers to cause a denial of service (crash) by sending specially crafted BGP flowspec requests with no attributes. The NULL pointer dereference in bgp_nlri_parse_flowspec leads to bgpd process termination. Organizations running FRR for BGP routing are affected.
💻 Affected Systems
- FRRouting FRR
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Frrouting by Frrouting
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of BGP routing services, causing network outages and loss of connectivity for dependent systems.
Likely Case
Service disruption of the bgpd daemon, requiring manual restart and potentially causing temporary routing instability.
If Mitigated
Limited impact with proper network segmentation and monitoring, allowing quick detection and recovery.
🎯 Exploit Status
Exploitation requires sending malformed BGP flowspec packets to vulnerable BGP peers, which is straightforward for attackers with BGP access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit cfd04dcb3e689754a72507d086ba3b9709fc5ed8 and later versions
Vendor Advisory: https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8
Restart Required: Yes
Instructions:
1. Update FRR to version 9.0.1 or later. 2. For Debian: apt update && apt upgrade frr. 3. For Fedora: dnf update frr. 4. Restart bgpd service: systemctl restart frr or systemctl restart bgpd.
🔧 Temporary Workarounds
Disable BGP flowspec
linuxDisable BGP flowspec feature if not required
router bgp <ASN>
no bgp flowspec
Restrict BGP peer access
linuxUse access lists to limit which peers can send BGP updates
ip prefix-list TRUSTED-PEERS permit <peer-ip>
router bgp <ASN>
neighbor <peer-ip> prefix-list TRUSTED-PEERS in
🧯 If You Can't Patch
- Implement strict BGP peer filtering using prefix lists and route maps
- Monitor bgpd process health and implement automatic restart on crash
🔍 How to Verify
Check if Vulnerable:
Check FRR version: frr --version. If version is 9.0 or earlier, system is vulnerable.Check Version:
frr --versionVerify Fix Applied:
Verify FRR version is 9.0.1 or later: frr --version. Check bgpd process is running: systemctl status frr or ps aux | grep bgpd.📡 Detection & Monitoring
Log Indicators:
- bgpd process crashes in syslog
- Segmentation fault messages in FRR logs
- BGP session resets from unexpected peers
Network Indicators:
- Unexpected BGP flowspec packets from untrusted sources
- BGP session flaps with specific peers
SIEM Query:
source="frr.log" AND ("segmentation fault" OR "NULL pointer" OR "bgpd crashed")🔗 References
- https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8
- https://lists.debian.org/debian-lts-announce/2023/09/msg00020.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JLG64IF3FU7V76K4TKCCXVNEE6P2VUDO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LMJNX44SMJM25JZO7XWHDQCOB4SNJPIE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXR6PIVY4SWO7HDT4EY733H4X32SCPM4/
- https://github.com/FRRouting/frr/pull/13222/commits/cfd04dcb3e689754a72507d086ba3b9709fc5ed8
- https://lists.debian.org/debian-lts-announce/2023/09/msg00020.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JLG64IF3FU7V76K4TKCCXVNEE6P2VUDO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LMJNX44SMJM25JZO7XWHDQCOB4SNJPIE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXR6PIVY4SWO7HDT4EY733H4X32SCPM4/
