-------------------------------------------------------------------------
Debian LTS Advisory DLA-3865-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
September 03, 2024                            https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : frr
Version        : 7.5.1-1.1+deb11u3
CVE ID         : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 
                 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 
                 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 
                 CVE-2024-31948 CVE-2024-31949 CVE-2024-44070
Debian Bug     : 1008010 1016978 1055852 1079649

Several vulnerabilities have been found in frr, the FRRouting suite of
internet protocols. An attacker could craft packages to potentially trigger
those effects: buffer overflows with the possibility to gain remote code
execution, buffer overreads, crashes or trick the software to enter an
infinite loop.

CVE-2022-26125

    Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
    wrong checks on the input packet length in isisd/isis_tlvs.c.

CVE-2022-26126

    Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
    the use of strdup with a non-zero-terminated binary string in
    isis_nb_notifications.c.

CVE-2022-26127

    A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
    missing a check on the input packet length in the babel_packet_examin
    function in babeld/message.c.

CVE-2022-26128

    A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
    a wrong check on the input packet length in the babel_packet_examin
    function in babeld/message.c.

CVE-2022-26129

    Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
    wrong checks on the subtlv length in the functions, parse_hello_subtlv,
    parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.

CVE-2022-37035

    An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
    bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
    there is a possible use-after-free due to a race condition. This could
    lead to Remote Code Execution or Information Disclosure by sending
    crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-38406

    bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri
    length of zero, aka a "flowspec overflow."

CVE-2023-38407

    bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond
    the end of the stream during labeled unicast parsing.

CVE-2023-46752

    An issue was discovered in FRRouting FRR through 9.0.1. It mishandles
    malformed MP_REACH_NLRI data, leading to a crash.

CVE-2023-46753

    An issue was discovered in FRRouting FRR through 9.0.1. A crash can
    occur for a crafted BGP UPDATE message without mandatory attributes,
    e.g., one with only an unknown transit attribute.

CVE-2023-47234

    An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
    bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
    there is a possible use-after-free due to a race condition. This could
    lead to Remote Code Execution or Information Disclosure by sending
    crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-47235

    An issue was discovered in FRRouting FRR through 9.0.1. A crash can
    occur when a malformed BGP UPDATE message with an EOR is processed,
    because the presence of EOR does not lead to a treat-as-withdraw
    outcome.

CVE-2024-31948

    In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID
    attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.

CVE-2024-31949

    In FRRouting (FRR) through 9.1, an infinite loop can occur when
    receiving a MP/GR capability as a dynamic capability because malformed
    data results in a pointer not advancing.

CVE-2024-44070

    An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap
    in bgpd/bgp_attr.c does not check the actual remaining stream length
    before taking the TLV value.

For Debian 11 bullseye, these problems have been fixed in version
7.5.1-1.1+deb11u3.

We recommend that you upgrade your frr packages.

For the detailed security status of frr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/frr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3865-1: frr Security Advisory Updates

September 3, 2024
Several vulnerabilities have been found in frr, the FRRouting suite of internet protocols

Summary

CVE-2022-26125

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the input packet length in isisd/isis_tlvs.c.

CVE-2022-26126

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
the use of strdup with a non-zero-terminated binary string in
isis_nb_notifications.c.

CVE-2022-26127

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
missing a check on the input packet length in the babel_packet_examin
function in babeld/message.c.

CVE-2022-26128

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
a wrong check on the input packet length in the babel_packet_examin
function in babeld/message.c.

CVE-2022-26129

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the subtlv length in the functions, parse_hello_subtlv,
parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.

CVE-2022-37035

An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-38406

bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri
length of zero, aka a "flowspec overflow."

CVE-2023-38407

bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond
the end of the stream during labeled unicast parsing.

CVE-2023-46752

An issue was discovered in FRRouting FRR through 9.0.1. It mishandles
malformed MP_REACH_NLRI data, leading to a crash.

CVE-2023-46753

An issue was discovered in FRRouting FRR through 9.0.1. A crash can
occur for a crafted BGP UPDATE message without mandatory attributes,
e.g., one with only an unknown transit attribute.

CVE-2023-47234

An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-47235

An issue was discovered in FRRouting FRR through 9.0.1. A crash can
occur when a malformed BGP UPDATE message with an EOR is processed,
because the presence of EOR does not lead to a treat-as-withdraw
outcome.

CVE-2024-31948

In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID
attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.

CVE-2024-31949

In FRRouting (FRR) through 9.1, an infinite loop can occur when
receiving a MP/GR capability as a dynamic capability because malformed
data results in a pointer not advancing.

CVE-2024-44070

An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap
in bgpd/bgp_attr.c does not check the actual remaining stream length
before taking the TLV value.

For Debian 11 bullseye, these problems have been fixed in version
7.5.1-1.1+deb11u3.

We recommend that you upgrade your frr packages.

For the detailed security status of frr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/frr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
Package : frr
Version : 7.5.1-1.1+deb11u3
CVE ID : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128
Debian Bug : 1008010 1016978 1055852 1079649

Related News

Google Chrome 129: Addressing Crucial Vulnerabilities and Enhancing Security
2 - 4 min read
Google Chrome remains the crown jewel in the browser market, with an impressive user base of approximately 3.45 billion. However, this immense
Fighting Back Against Hadooken Malware by Strengthening WebLogic Security
2 - 4 min read
Cybercriminals have been relentlessly attacking the digital landscape, aiming to exploit vulnerabilities in well-known systems. One such exploit is
CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?
3 - 5 min read
CISA regularly publishes updates regarding vulnerabilities that present severe threats to global cybersecurity. Recently, CISA added three
Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved