Skip to main content

A recent analysis of seven different implementations of the Border Gateway Protocol (BGP) by Forescout Vedere Labs has uncovered three new vulnerabilities in the software implementation of version 8.4 of FRRouting. The three vulnerabilities in BGP include CVE-2022-40302, CVE-2022-40318, and CVE-2022-43681. 

This blog will discuss these Message Paring vulnerabilities in FRRouting and how to mitigate the impact.  

A Short Note About FRRouting

FRRouting is an open-source internet routing protocol suite for Unix and Linux platforms. It offers a comprehensive set of protocols, including RIP, PIM, Babel, RIPv1, RIPv2, Is-Is, OSPFv2, OSPFv3, OpenFabric, PBR, RIPng, and VRRP. It also provides alpha support for NHRP and EIGRP. 

FRR was initially introduced by the Quagga developers working under the Quagga project. They joined forces to build a routing protocol stack that could improve Quagga’s well-established foundation. 

It seamlessly integrates with native Unix/Linux IP networking stacks, which makes it a versatile routing stack that can be used for various purposes like internet peering, LAN switching and routing, advertising network services, connecting hosts, virtual machines, containers to the networks, and internet access routers. 

What is BGP (Border Gateway Protocol)?

Border Gateway Protocol (BGP) is a gateway protocol used by networks to communicate and exchange routing information between autonomous systems (AS). This helps data packets determine the best path to take through BGP peering.  

BGP supports the next-hop paradigm, transmitting packets to the most optimal choice among all potential routers to optimize network performance. It also supports CIDR, allowing for the efficient allocation of IP addresses and converses network bandwidth, enabling organizations to make the most out of their networks. 

BGP can be configured to implement policies that determine which routes are best for different situations. It runs over TCP, making it compatible with the rest of the internet, and it can also interface with SSL, VPNs, and TLS for secure communication.

BGP has various functions, including: 

  1. Initial peer acquisition and authentication
  2. Sending of reachability information
  3. Verification of peer and network connection functionality
  4. Information management functions of BGP route such as route storage, update, selection, and advertisement.

Summary of Three BGP Message Parsing Vulnerabilities in FRRouting Protocol Suite

Exploiting three new Message Paring vulnerabilities in FRRouting causes a denial-of-service (DoS) attack resulting in the BGP service crash and loss of network connectivity. Below are the three new vulnerabilities in BGP

CVE-2022-40302

  • Attack complexity: Low
  • CVSS Score: 6.5

CVE-2022-40302 is an out-of-bounds read vulnerability in the BGP OPEN Message Processing system. A remote attacker can exploit this vulnerability by sending a specially crafted BGP OPEN message, triggering an out-of-bounds read that could potentially crash the BGP service. 

CVE-2022-40318

  • Attack complexity: Low 
  • CVSS Score: 6.5

CVE-2022-40318 is a security vulnerability arising from an out-of-bounds read error while handling an incorrectly formed BGP OPEN message. This vulnerability is distinct from CVE-2022-40302, which involves a similar problem with an incorrectly formed BGP OPEN message. 

 

CVE-2022-43681

  • Attack complexity: Low 
  • CVSS Score: 6.5

CVE-2022-43681 is another vulnerability that affects Border Gateway Protocol (BGP) and is caused by an out-of-bounds read error similar to CVE-2022-40302 and CVE-2022-40318. The vulnerability can be triggered by processing an incorrect BGP OPEN message that ends with an octet or word, depending on the type of OPEN message. 

Test BGP Protocol Suites Using BGP Fuzzer Tool

The BGP fuzzer tool is an automated, dynamic testing tool to ensure the security of applications and protocols that use the Border Gateway Protocol (BGP). It tests billions of input combinations and priorities attacks generated dynamically and is more likely to cause product failure.  

Time needed: 15 minutes.

To test BGP protocol suites using the BGP fuzzer tool, here are some steps: 

  1. Install the Python PackagesBefore running the tool for the first time, install all the necessary Python packages.
  2. Start the Monitor on a Target MachineTo start the experimental monitor on a target machine, copy the code and execute the command $ python myrpc.py --ip [TARGET'S IP] --port [RPC port] --monitor [frr | bird | openbgpd] with the target’s IP, RPC port, and monitor type. The command may require root permissions, and the output will display the target’s PID. 
  3. Choose a Fuzz Suite to RunThe fuzzer tool offers four default fuzzer scripts for different BGP message types: fuzz_open.py, fuzz_update.py, fuzz_route_refresh.py, and fuzz_notification.py. You can comment or uncomment the test cases in the script to choose a test suite. Each test suite is accompanied by a description that outlines the kind of malformed packets it generates.
  4. Run the FuzzerTo run a particular fuzz suite, you can use the following command: $ [FUZZ SUITE].py --fbgp_id [FUZZER'S BGP IDENTIFIER] --fasn [FUZZER'S ASN] --tip [TARGET'S IP ADDRESS] --trpc_port [TARGET'S RPC PORT]. 
  5. Get the ResultsAfter running the fuzz suite, monitor the test case execution through BooFuzz’s web interface. If you want to reproduce the crash, copy the raw output or run a Python script generated by the monitor in your current working directory. The script will have a name like “BgpOpenFuzzer_2_testcase_138.py”. You can run this script with the IP address of the target as an argument.

How to Mitigate the Three BGP Message Parsing Vulnerabilities in FRRouting Protocol Suite?

BGP is an important part of the internet, and several guidelines exist for securing it, such as those from the RIPE NCC, NSA, NIST, and the Internet Society. However, these guidelines primarily focus on known BGP security issues. It is important to consider that the vulnerabilities in open-source components can easily spread widely through the supply chain effect. 

The recent CVE-2022-40302 and CVE-2022-40318 issues highlight how the same vulnerable code can exist in multiple places within a codebase as a root cause for several vulnerabilities. It is possible that similar or identical code exists in other projects and impacts various products that use FRRouting.

To mitigate the risks of the vulnerabilities, such as those discovered in FRRouting, it is recommended to patch network infrastructure devices as frequently as possible. This can be achieved by maintaining an updated asset inventory that tracks all networking devices within the organization and their software versions. Software that provides granular visibility for each device in the network can make this process much easier.

 

Conclusion 

These three new Message Parsing vulnerabilities in the FRRouting protocol suite are a significant concern for network security professionals. These vulnerabilities allow an attacker to remotely execute code on a targeted device, which can result in a range of negative consequences, including network downtime and data breaches. To mitigate the risk of these vulnerabilities in BGP, updating the software version to the latest one can help. 

Leave a Reply