Cybersecurity researchers have recently uncovered three vulnerabilities in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. This implementation of the Border Gateway Protocol (BGP) is employed by several vendors, such as NVIDIA Cumulus, DENT, and SONiC, thereby posing potential supply chain risks. The discovery of these vulnerabilities is the result of an analysis of seven different BGP implementations conducted by Forescout Vedere Labs, which include FRRouting, BIRD, OpenBGPd, Mikrotik RouterOS, Juniper JunOS, Cisco IOS, and Arista EOS. BGP is a gateway protocol designed to exchange routing and reachability information between autonomous systems, and is utilized to identify the most efficient routes for delivering internet traffic.
The following three flaws have been identified: CVE-2022-40302 (CVSS score: 6.5), CVE-2022-40318 (CVSS score: 6.5), and CVE-2022-43681 (CVSS score: 6.5). These issues have been observed to arise when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option or abruptly ending with the option length octet. According to a report shared with The Hacker News, these could be exploited by malicious actors to cause a Denial of Service (DoS) condition on vulnerable BGP peers, resulting in the dropping of all BGP sessions and routing tables, thus rendering the peer unresponsive.
Border Gateway Protocol (BGP) is a gateway protocol that is designed to facilitate the exchange of routing and reachability information between autonomous systems. It is used to determine the most efficient routes for delivering internet traffic.
It has been observed that a Denial of Service (DoS) condition could be perpetuated indefinitely by the continual transmission of malformed packets. This is due to the presence of the same vulnerable code pattern that has been replicated across several functions associated with the parsing of OPEN messages. A malicious actor could potentially exploit this vulnerability by spoofing the IP address of a legitimate BGP peer, or by exploiting other flaws or misconfigurations, in order to issue a specially crafted unsolicited BGP OPEN message. This is possible due to the fact that FRRouting begins to process OPEN messages, including the decapsulation of optional parameters, prior to verifying the BGP Identifier and ASN fields of the originating router.
Forescout has recently made available an open source Python-based BGP Fuzzer tool, allowing organizations to test the security of their BGP suites as well as identify any potential flaws in BGP implementations. The company stated, “Modern BGP implementations still possess vulnerabilities that can be exploited by malicious actors. To reduce the risk of vulnerable BGP implementations, the most prudent measure is to regularly patch network infrastructure devices.”
These findings come shortly after ESET discovered that secondhand routers previously used in business networking environments contained sensitive data, such as corporate credentials, VPN details, cryptographic keys, and other vital customer information. The Slovak cybersecurity firm commented, “If this data were to fall into the wrong hands, it could be used to launch a cyberattack, as it includes customer data, router-to-router authentication keys, application lists, and much more.”