Bug 2230983 (CVE-2023-38802)

Summary: CVE-2023-38802 frr: Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bmason, dfreiber, fhrdina, jburrell, mruprich, rogbas, sbroz, security-response-team, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: frr 9.1, frr 8.4-stable Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in FRRouting (FRR). This flaw allows a remote attacker to cause a denial of service issue via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2231000, 2231001, 2231062, 2231063, 2236442, 2236704, 2236705, 2236706, 2236707, 2236708, 2236709, 2236710, 2236711    
Bug Blocks: 2230985    

Description msiddiqu 2023-08-10 10:26:01 UTC 
Incorrect length handling of path attributes in BGP packets can lead to a session reset.
Comment 7 msiddiqu 2023-08-31 10:03:54 UTC 
Created frr tracking bugs for this issue:

Affects: fedora-all [bug 2236442]
Comment 8 msiddiqu 2023-08-31 10:04:41 UTC 
# Upstream Fix: 

- https://github.com/FRRouting/frr/pull/14290
- https://github.com/FRRouting/frr/issues/14289
Comment 9 msiddiqu 2023-08-31 10:17:19 UTC 
References: 
 
- https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
- https://github.com/advisories/GHSA-xh4f-v933-c556
- https://nvd.nist.gov/vuln/detail/CVE-2023-38802
- http://tools.ietf.org/html/rfc4271
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig
Comment 12 errata-xmlrpc 2023-09-18 13:49:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5196 https://access.redhat.com/errata/RHSA-2023:5196
Comment 13 errata-xmlrpc 2023-09-18 13:49:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5194 https://access.redhat.com/errata/RHSA-2023:5194
Comment 14 errata-xmlrpc 2023-09-18 13:57:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5195 https://access.redhat.com/errata/RHSA-2023:5195
Comment 15 errata-xmlrpc 2023-09-19 08:00:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5219 https://access.redhat.com/errata/RHSA-2023:5219
Comment 16 errata-xmlrpc 2023-10-05 13:01:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5464 https://access.redhat.com/errata/RHSA-2023:5464
Comment 17 errata-xmlrpc 2023-10-05 13:41:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5457 https://access.redhat.com/errata/RHSA-2023:5457
Comment 18 errata-xmlrpc 2023-10-05 14:36:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5465 https://access.redhat.com/errata/RHSA-2023:5465