Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers.
The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. It’s currently used by several vendors like NVIDIA Cumulus, DENT, and SONiC, posing supply chain risks.
The discovery is the result of an analysis of seven different implementations of BGP carried out by Forescout Vedere Labs: FRRouting, BIRD, OpenBGPd, Mikrotik RouterOS, Juniper JunOS, Cisco IOS, and Arista EOS.
BGP is a gateway protocol that’s designed to exchange routing and reachability information between autonomous systems. It’s used to find the most efficient routes for delivering internet traffic.
The list of three flaws is as follows –
- CVE-2022-40302 (CVSS score: 6.5) – Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option.
- CVE-2022-40318 (CVSS score: 6.5) – Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option.
- CVE-2022-43681 (CVSS score: 6.5) – Out-of-bounds read when processing a malformed BGP OPEN message that abruptly ends with the option length octet.
The issues “could be exploited by attackers to achieve a DoS condition on vulnerable BGP peers, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive,” the company said in a report shared with The Hacker News.
“The DoS condition may be prolonged indefinitely by repeatedly sending malformed packets. The main root cause is the same vulnerable code pattern copied into several functions related to different stages of parsing OPEN messages.”
A threat actor could spoof a valid IP address of a trusted BGP peer or exploit other flaws and misconfigurations to compromise a legitimate peer and then issue a specially-crafted unsolicited BGP OPEN message.
This is achieved by taking advantage of the fact that “FRRouting begins to process OPEN messages (e.g., decapsulating optional parameters) before it gets a chance to verify the BGP Identifier and ASN fields of the originating router.”
Learn to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
Forescout has also made available an open source tool called bgp_boofuzzer that allows organizations to test the security of the BGP suites used internally as well as find new flaws in BGP implementations.
“Modern BGP implementations still have low-hanging fruits that can be abused by attackers,” Forescout said. “To mitigate the risk of vulnerable BGP implementations, […] the best recommendation is to patch network infrastructure devices as often as possible.”
The findings come weeks after ESET found that secondhand routers previously used in business networking environments harbored sensitive data, including corporate credentials, VPN details, cryptographic keys, and other vital customer information.
“In the wrong hands, the data gleaned from the devices – including customer data, router-to-router authentication keys, application lists, and much more – is enough to launch a cyberattack,” the Slovak cybersecurity firm said.