Forescout Vedere Labs has identified three vulnerabilities in version 8.4 of FRRouting, an open source internet routing protocol suite for Linux and Unix platforms that could be exploited to create a denial-of-service condition on vulnerable BGP peers.
The vulnerabilities, CVE-2022-40302, CVE-2022-40318, and CVE-2022-43681, were found as part of an analysis of seven different implementations of BGP, including BIRD, OpenBGPd, Mikrotik RouterOS, Juniper JunOS, Cisco IOS, and Arista EOS. FRRouting is currently used by several vendors such as NVIDIA Cumulus, DENT, and SONiC, making this a significant risk.
The vulnerabilities are out-of-bounds reads, which means an attacker could drop all BGP sessions and routing tables, rendering the peer unresponsive. The DoS condition could also be prolonged indefinitely by repeatedly sending malformed packets. The main cause of the vulnerability is a vulnerable code pattern copied into several functions related to different stages of parsing OPEN messages.
An attacker could compromise a legitimate peer and then issue a specially-crafted unsolicited BGP OPEN message, taking advantage of the fact that FRRouting begins to process OPEN messages before it gets a chance to verify the BGP Identifier and ASN fields of the originating router. To mitigate the risk of vulnerable BGP implementations, Forescout recommends patching network infrastructure devices as often as possible.
Forescout has also released an open source tool called bgp_boofuzzer that allows organizations to test the security of the BGP suites used internally and find new flaws in BGP implementations. These findings come just weeks after ESET discovered that secondhand routers previously used in business networking environments contained sensitive data, including corporate credentials, VPN details, cryptographic keys, and other vital customer information.
