2196091 – (CVE-2022-40318) CVE-2022-40318 frr: denial of service by crafting a BGP OPEN message with an option of type in bgp_open_option_parse in the bgp_open.c 0xff

Bug 2196091 (CVE-2022-40318) - CVE-2022-40318 frr: denial of service by crafting a BGP OPEN message with an option of type in bgp_open_option_parse in the bgp_open.c 0xff

Summary: CVE-2022-40318 frr: denial of service by crafting a BGP OPEN message with an ...

Keywords:
Status:	NEW
Alias:	CVE-2022-40318
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2196094 2196796
Blocks:	2193421
TreeView+	depends on / blocked

Reported:	2023-05-08 04:14 UTC by Sandipan Roy
Modified:	2023-11-07 08:16 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in FRRouting. The issue occurs in bgpd in FRRouting (FRR). By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart or out-of-bounds read). This flaw is possible due to inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case. This behavior occurs in the bgp_open_option_parse in the bgp_open.c file, a different location (with a different attack vector) relative to CVE-2022-40302.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:6434	0	None	None	None	2023-11-07 08:16:42 UTC

Description Sandipan Roy 2023-05-08 04:14:15 UTC

An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case. NOTE: this behavior occurs in bgp_open_option_parse in the bgp_open.c file, a different location (with a different attack vector) relative to CVE-2022-40302.

https://github.com/FRRouting/frr/releases

Comment 4 errata-xmlrpc 2023-11-07 08:16:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6434 https://access.redhat.com/errata/RHSA-2023:6434

Note You need to log in before you can comment on or make changes to this bug.