A recent analysis of seven different implementations of the Border Gateway Protocol (BGP) by Forescout Vedere Labs has uncovered three new vulnerabilities in the software implementation of version 8.4 of FRRouting. The three vulnerabilities in BGP include CVE-2022-40302, CVE-2022-40318, and CVE-2022-43681.
This blog will discuss these Message Paring vulnerabilities in FRRouting and how to mitigate the impact.
FRRouting is an open-source internet routing protocol suite for Unix and Linux platforms. It offers a comprehensive set of protocols, including RIP, PIM, Babel, RIPv1, RIPv2, Is-Is, OSPFv2, OSPFv3, OpenFabric, PBR, RIPng, and VRRP. It also provides alpha support for NHRP and EIGRP.
FRR was initially introduced by the Quagga developers working under the Quagga project. They joined forces to build a routing protocol stack that could improve Quagga’s well-established foundation.
It seamlessly integrates with native Unix/Linux IP networking stacks, which makes it a versatile routing stack that can be used for various purposes like internet peering, LAN switching and routing, advertising network services, connecting hosts, virtual machines, containers to the networks, and internet access routers.
Border Gateway Protocol (BGP) is a gateway protocol used by networks to communicate and exchange routing information between autonomous systems (AS). This helps data packets determine the best path to take through BGP peering.
BGP supports the next-hop paradigm, transmitting packets to the most optimal choice among all potential routers to optimize network performance. It also supports CIDR, allowing for the efficient allocation of IP addresses and converses network bandwidth, enabling organizations to make the most out of their networks.
BGP can be configured to implement policies that determine which routes are best for different situations. It runs over TCP, making it compatible with the rest of the internet, and it can also interface with SSL, VPNs, and TLS for secure communication.
BGP has various functions, including:
Initial peer acquisition and authentication
Sending of reachability information
Verification of peer and network connection functionality
Information management functions of BGP route such as route storage, update, selection, and advertisement.
Exploiting three new Message Paring vulnerabilities in FRRouting causes a denial-of-service (DoS) attack resulting in the BGP service crash and loss of network connectivity. Below are the three new vulnerabilities in BGP:
Attack complexity: Low
CVSS Score: 6.5
CVE-2022-40302 is an out-of-bounds read vulnerability in the BGP OPEN Message Processing system. A remote attacker can exploit this vulnerability by sending a specially crafted BGP OPEN message, triggering an out-of-bounds read that could potentially crash the BGP service.
Attack complexity: Low
CVSS Score: 6.5
CVE-2022-40318 is a security vulnerability arising from an out-of-bounds read error while handling an incorrectly formed BGP OPEN message. This vulnerability is distinct from CVE-2022-40302, which involves a similar problem with an incorrectly formed BGP OPEN message.
Attack complexity: Low
CVSS Score: 6.5
CVE-2022-43681 is another vulnerability that affects Border Gateway Protocol (BGP) and is caused by an out-of-bounds read error similar to CVE-2022-40302 and CVE-2022-40318. The vulnerability can be triggered by processing an incorrect BGP OPEN message that ends with an octet or word, depending on the type of OPEN message.
The BGP fuzzer tool is an automated, dynamic testing tool to ensure the security of applications and protocols that use the Border Gateway Protocol (BGP). It tests billions of input combinations and priorities attacks generated dynamically and is more likely to cause product failure.
To test BGP protocol suites using the BGP fuzzer tool, here are some steps:
Before running the tool for the first time, install all the necessary Python packages.
To start the experimental monitor on a target machine, copy the code and execute the command $ python myrpc.py --ip [TARGET'S IP] --port [RPC port] --monitor [frr | bird | openbgpd]
with the target’s IP, RPC port, and monitor type. The command may require root permissions, and the output will display the target’s PID.
The fuzzer tool offers four default fuzzer scripts for different BGP message types: fuzz_open.py, fuzz_update.py, fuzz_route_refresh.py, and fuzz_notification.py. You can comment or uncomment the test cases in the script to choose a test suite. Each test suite is accompanied by a description that outlines the kind of malformed packets it generates.
To run a particular fuzz suite, you can use the following command: $ [FUZZ SUITE].py --fbgp_id [FUZZER'S BGP IDENTIFIER] --fasn [FUZZER'S ASN] --tip [TARGET'S IP ADDRESS] --trpc_port [TARGET'S RPC PORT].
After running the fuzz suite, monitor the test case execution through BooFuzz’s web interface. If you want to reproduce the crash, copy the raw output or run a Python script generated by the monitor in your current working directory. The script will have a name like “BgpOpenFuzzer_2_testcase_138.py”. You can run this script with the IP address of the target as an argument.
BGP is an important part of the internet, and several guidelines exist for securing it, such as those from the RIPE NCC, NSA, NIST, and the Internet Society. However, these guidelines primarily focus on known BGP security issues. It is important to consider that the vulnerabilities in open-source components can easily spread widely through the supply chain effect.
The recent CVE-2022-40302 and CVE-2022-40318 issues highlight how the same vulnerable code can exist in multiple places within a codebase as a root cause for several vulnerabilities. It is possible that similar or identical code exists in other projects and impacts various products that use FRRouting.
To mitigate the risks of the vulnerabilities, such as those discovered in FRRouting, it is recommended to patch network infrastructure devices as frequently as possible. This can be achieved by maintaining an updated asset inventory that tracks all networking devices within the organization and their software versions. Software that provides granular visibility for each device in the network can make this process much easier.
These three new Message Parsing vulnerabilities in the FRRouting protocol suite are a significant concern for network security professionals. These vulnerabilities allow an attacker to remotely execute code on a targeted device, which can result in a range of negative consequences, including network downtime and data breaches. To mitigate the risk of these vulnerabilities in BGP, updating the software version to the latest one can help.
We hope this post would help you know about the three BGP Message Parsing Vulnerabilities in FRRouting Protocol Suite. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
How To Fix CVE-2022-20714- A Denial Of Service In ASR 9000 Series Routers
How To Fix CVE-2022-20623- A Denial Of Service Vulnerability In Cisco Nexus 9000 Series Switches
How To Fix CVE-2021-1588- A Denial of Service Vulnerability in Cisco NX-OS Software
How To Fix CVE-2022-20624- A Denial Of Service Vulnerability In CFSoIP Service Of Cisco NX-OS
How to Fix the Six Newly Disclosed Vulnerabilities in Junos OS
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.