Login Sign Up

CVE-2023-47234

7.5 HIGH
Denial of Service

📋 TL;DR

A vulnerability in FRRouting FRR allows remote attackers to cause a denial of service (crash) by sending a specially crafted BGP UPDATE message with a MP_UNREACH_NLRI attribute containing malformed NLRI data. This affects FRR installations that process BGP traffic, primarily network routers and devices running vulnerable FRR versions.

💻 Affected Systems

Products:
  • FRRouting FRR
Versions: Through 9.0.1
Operating Systems: Linux-based systems running FRR
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with BGP enabled and configured to accept UPDATE messages from peers.

📦 What is this software?

Frrouting by Frrouting

View all CVEs affecting Frrouting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of BGP routing, causing network outages and potential cascading failures in dependent systems.

🟠

Likely Case

Service crash requiring manual restart of FRR daemon, leading to temporary routing instability and packet loss.

🟢

If Mitigated

Isolated crash of FRR process with automatic restart mechanisms limiting downtime to seconds/minutes.

🌐 Internet-Facing: HIGH - BGP peers are typically internet-facing, and exploitation requires only network access to BGP port (TCP/179).
🏢 Internal Only: MEDIUM - Internal BGP sessions could be exploited by compromised internal systems or malicious insiders.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending a crafted BGP packet to a vulnerable peer, which is straightforward for attackers with BGP protocol knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit c37119df45bbf4ef713bc10475af2ee06e12f3bf and later versions

Vendor Advisory: https://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf

Restart Required: Yes

Instructions:

1. Update FRR to version after 9.0.1 or apply commit c37119df45bbf4ef713bc10475af2ee06e12f3bf. 2. Restart FRR services (bgpd). 3. Verify BGP sessions re-establish properly.

🔧 Temporary Workarounds

BGP Peer Filtering

linux

Restrict BGP connections to trusted peers only using access control lists

ip prefix-list TRUSTED-PEERS seq 5 permit 192.0.2.0/24
router bgp 65001
neighbor 192.0.2.1 prefix-list TRUSTED-PEERS in

TCP MD5 Authentication

linux

Enable TCP MD5 authentication for BGP sessions to prevent unauthorized connections

router bgp 65001
neighbor 192.0.2.1 password mysecretpassword

🧯 If You Can't Patch

  • Implement strict BGP peer filtering to only allow connections from trusted sources
  • Deploy network monitoring to detect anomalous BGP traffic patterns and restart FRR if crashes occur

🔍 How to Verify

Check if Vulnerable:

Check FRR version: frr --version. If version is 9.0.1 or earlier and BGP is enabled, system is vulnerable.

Check Version:

frr --version

Verify Fix Applied:

Verify FRR version is after 9.0.1 and check commit history includes c37119df45bbf4ef713bc10475af2ee06e12f3bf.

📡 Detection & Monitoring

Log Indicators:

  • FRR bgpd process crashes
  • BGP session resets with malformed UPDATE messages in logs
  • Unexpected bgpd restarts in system logs

Network Indicators:

  • BGP UPDATE messages with MP_UNREACH_NLRI attribute from untrusted sources
  • Abnormal BGP packet sizes or structures

SIEM Query:

source="frr.log" AND "bgpd" AND ("crash" OR "segmentation fault" OR "malformed UPDATE")

📊 Metadata

CVE ID: CVE-2023-47234
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: November 3, 2023
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON