-------------------------------------------------------------------------
Debian LTS Advisory DLA-3797-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
April 28, 2024                                https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : frr
Version        : 7.5.1-1.1+deb10u2
CVE ID         : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 
                 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 
                 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 
                 CVE-2024-31948 CVE-2024-31949
Debian Bug     : 1008010 1016978 1055852

Several vulnerabilities have been found in frr, the FRRouting suite of
internet protocols. An attacker could craft packages to trigger buffer
overflows with the possibility to gain remote code execution, buffer
overreads, crashes or trick the software to enter an infinite loop.

CVE-2022-26125

    Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
    wrong checks on the input packet length in isisd/isis_tlvs.c.

CVE-2022-26126

    Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
    the use of strdup with a non-zero-terminated binary string in
    isis_nb_notifications.c.

CVE-2022-26127

    A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
    missing a check on the input packet length in the babel_packet_examin
    function in babeld/message.c.

CVE-2022-26128

    A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
    a wrong check on the input packet length in the babel_packet_examin
    function in babeld/message.c.

CVE-2022-26129

    Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
    wrong checks on the subtlv length in the functions, parse_hello_subtlv,
    parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.

CVE-2022-37035

    An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
    bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
    there is a possible use-after-free due to a race condition. This could
    lead to Remote Code Execution or Information Disclosure by sending
    crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-38406

    bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri
    length of zero, aka a "flowspec overflow."

CVE-2023-38407

    bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond
    the end of the stream during labeled unicast parsing.

CVE-2023-46752

    An issue was discovered in FRRouting FRR through 9.0.1. It mishandles
    malformed MP_REACH_NLRI data, leading to a crash.

CVE-2023-46753

    An issue was discovered in FRRouting FRR through 9.0.1. A crash can
    occur for a crafted BGP UPDATE message without mandatory attributes,
    e.g., one with only an unknown transit attribute.

CVE-2023-47234

    An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
    bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
    there is a possible use-after-free due to a race condition. This could
    lead to Remote Code Execution or Information Disclosure by sending
    crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-47235

    An issue was discovered in FRRouting FRR through 9.0.1. A crash can
    occur when a malformed BGP UPDATE message with an EOR is processed,
    because the presence of EOR does not lead to a treat-as-withdraw
    outcome.

CVE-2024-31948

    In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID
    attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.

CVE-2024-31949

    In FRRouting (FRR) through 9.1, an infinite loop can occur when
    receiving a MP/GR capability as a dynamic capability because malformed
    data results in a pointer not advancing.

For Debian 10 buster, these problems have been fixed in version
7.5.1-1.1+deb10u2.

We recommend that you upgrade your frr packages.

For the detailed security status of frr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/frr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3797-1: frr Security Advisory Updates

April 28, 2024
Several vulnerabilities have been found in frr, the FRRouting suite of internet protocols

Summary


Several vulnerabilities have been found in frr, the FRRouting suite of
internet protocols. An attacker could craft packages to trigger buffer
overflows with the possibility to gain remote code execution, buffer
overreads, crashes or trick the software to enter an infinite loop.

CVE-2022-26125

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the input packet length in isisd/isis_tlvs.c.

CVE-2022-26126

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
the use of strdup with a non-zero-terminated binary string in
isis_nb_notifications.c.

CVE-2022-26127

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
missing a check on the input packet length in the babel_packet_examin
function in babeld/message.c.

CVE-2022-26128

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
a wrong check on the input packet length in the babel_packet_examin
function in babeld/message.c.

CVE-2022-26129

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the subtlv length in the functions, parse_hello_subtlv,
parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.

CVE-2022-37035

An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-38406

bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri
length of zero, aka a "flowspec overflow."

CVE-2023-38407

bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond
the end of the stream during labeled unicast parsing.

CVE-2023-46752

An issue was discovered in FRRouting FRR through 9.0.1. It mishandles
malformed MP_REACH_NLRI data, leading to a crash.

CVE-2023-46753

An issue was discovered in FRRouting FRR through 9.0.1. A crash can
occur for a crafted BGP UPDATE message without mandatory attributes,
e.g., one with only an unknown transit attribute.

CVE-2023-47234

An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-47235

An issue was discovered in FRRouting FRR through 9.0.1. A crash can
occur when a malformed BGP UPDATE message with an EOR is processed,
because the presence of EOR does not lead to a treat-as-withdraw
outcome.

CVE-2024-31948

In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID
attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.

CVE-2024-31949

In FRRouting (FRR) through 9.1, an infinite loop can occur when
receiving a MP/GR capability as a dynamic capability because malformed
data results in a pointer not advancing.

For Debian 10 buster, these problems have been fixed in version
7.5.1-1.1+deb10u2.

We recommend that you upgrade your frr packages.

For the detailed security status of frr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/frr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : frr
Version : 7.5.1-1.1+deb10u2
CVE ID : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128
Debian Bug : 1008010 1016978 1055852

Related News

4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap
5.ShakingHands Esm H320
3 - 5 min read
There has been a promising shift in the tech industry, with major companies pledging to release products with built-in security features. This
18.WifiCutout Landscape Esm H320
2 - 3 min read
A novel attack called TunnelVision has been discovered. It compromises the security of virtually all VPN apps, rendering their purpose useless. The
21.Globe RadiatingCode Esm H320
2 - 3 min read
The recent discovery of a backdoor in XZ Utils , a widely used Linux tool, raises concerns about the security of the open-source ecosystem. While
13.Lock StylizedMotherboard Esm H320
1 - 2 min read
Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In
32.Lock Code Circular Esm H320
2 - 3 min read
Two critical security vulnerabilities were found in pgAdmin, the open-source administration tool for PostgreSQL . The vulnerabilities assigned
1.Penguin Landscape Esm H320
2 - 3 min read
The recent release of AlmaLinux 9.4 , closely aligned with Red Hat Enterprise Linux (RHEL) 9.4 , presents Linux admins and infosec professionals
11.Locks IsometricPattern Esm H320
2 - 3 min read
The upcoming release of Linux Mint 22 will introduce significant changes, particularly in handling XApp , GNOME applications, and the Software

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved