CVE-2024-44070
📋 TL;DR
A buffer overflow vulnerability exists in FRRouting (FRR) BGP daemon where bgp_attr_encap function fails to validate stream length before processing TLV values. This allows attackers to cause denial of service or potentially execute arbitrary code by sending specially crafted BGP UPDATE messages. Organizations running FRR for BGP routing are affected.
💻 Affected Systems
- FRRouting (FRR)
📦 What is this software?
Frrouting by Frrouting
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete compromise of the routing daemon, potentially allowing attackers to manipulate routing tables or pivot to other systems.
Likely Case
Denial of service causing BGP session crashes and network instability, potentially leading to routing blackholes or traffic disruption.
If Mitigated
Limited impact with proper network segmentation and BGP session filtering, potentially only affecting isolated routing instances.
🎯 Exploit Status
Exploitation requires BGP session establishment but no authentication beyond standard BGP peer configuration. Attackers need to be able to send BGP UPDATE messages to vulnerable peers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in FRR 10.2 and later versions
Vendor Advisory: https://github.com/FRRouting/frr/pull/16497
Restart Required: Yes
Instructions:
1. Update FRR to version 10.2 or later. 2. For Debian systems: apt update && apt install frr. 3. Restart FRR services: systemctl restart frr. 4. Verify BGP sessions re-establish properly.
🔧 Temporary Workarounds
BGP Session Filtering
linuxImplement strict BGP session filtering to only allow trusted peers. Use BGP route filtering and prefix lists to limit exposure.
# Example: Configure BGP peer filtering in FRR
router bgp <ASN>
neighbor <PEER_IP> prefix-list TRUSTED_PREFIXES in
neighbor <PEER_IP> prefix-list TRUSTED_PREFIXES out
Network Segmentation
linuxIsolate BGP routing infrastructure using firewalls and network segmentation to limit attack surface.
# Example iptables rule to restrict BGP access
iptables -A INPUT -p tcp --dport 179 -s <TRUSTED_PEERS> -j ACCEPT
iptables -A INPUT -p tcp --dport 179 -j DROP
🧯 If You Can't Patch
- Implement strict BGP peer authentication using MD5 or TCP-AO to prevent unauthorized session establishment.
- Deploy network monitoring and intrusion detection systems to detect anomalous BGP traffic patterns.
🔍 How to Verify
Check if Vulnerable:
Check FRR version: frr --version. If version is 10.1 or earlier, the system is vulnerable.Check Version:
frr --versionVerify Fix Applied:
Verify FRR version is 10.2 or later: frr --version. Check BGP sessions are stable after restart.📡 Detection & Monitoring
Log Indicators:
- BGP session resets
- bgpd process crashes
- Memory corruption errors in syslog
- Unexpected BGP UPDATE messages from untrusted sources
Network Indicators:
- Abnormal BGP UPDATE message sizes
- Multiple BGP session resets from single peer
- Unusual TLV structures in BGP traffic
SIEM Query:
source="frr.log" AND ("segmentation fault" OR "buffer overflow" OR "bgpd crashed")