CVE-2019-5892 in FRRouting
Summary
by MITRE
bgpd in FRRouting FRR (aka Free Range Routing) 2.x and 3.x before 3.0.4, 4.x before 4.0.1, 5.x before 5.0.2, and 6.x before 6.0.2 (not affecting Cumulus Linux or VyOS), when ENABLE_BGP_VNC is used for Virtual Network Control, allows remote attackers to cause a denial of service (peering session flap) via attribute 255 in a BGP UPDATE packet. This occurred during Disco in January 2019 because FRR does not implement RFC 7606, and therefore the packets with 255 were considered invalid VNC data and the BGP session was closed.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2023
The vulnerability CVE-2019-5892 affects FRRouting FRR versions 2.x through 6.x before specific patch releases, representing a critical denial of service flaw in the bgpd daemon that handles BGP peering operations. This issue specifically impacts systems utilizing the ENABLE_BGP_VNC feature for Virtual Network Control, which is a mechanism for handling virtual network connectivity in routing environments. The vulnerability stems from the absence of proper implementation of RFC 7606, a standard that governs the handling of unrecognized BGP attributes, particularly those with the attribute type 255 that may be used for experimental or vendor-specific purposes in BGP implementations. When a malicious or improperly configured BGP peer sends an UPDATE packet containing attribute 255, the FRRouting software fails to properly process this attribute according to established standards, leading to session instability.
The technical flaw manifests when the bgpd process encounters BGP UPDATE packets with attribute type 255, which are not properly validated or handled according to RFC 7606 specifications. This particular attribute type is designated for experimental use and should be handled gracefully by BGP implementations, with the receiving system either ignoring the attribute or processing it according to established procedures. However, FRRouting's implementation treats these packets as invalid VNC data, triggering immediate session termination and causing the BGP peering session to flap repeatedly. This behavior represents a failure in the protocol compliance and robustness of the routing daemon, where the system does not follow the graceful degradation principles outlined in network protocol standards. The vulnerability affects all versions of FRRouting from 2.x through 6.x, indicating a widespread implementation issue that was not properly addressed across multiple major releases.
The operational impact of this vulnerability is severe, as it can cause complete disruption of BGP peering sessions and potentially affect network connectivity across large-scale deployments. When a BGP session flaps due to this vulnerability, it creates instability in the routing infrastructure, leading to potential black holes in network traffic and service degradation. The flapping behavior occurs because the system closes the BGP session upon receiving the malformed packet and then attempts to re-establish it, creating a loop that can persist until the offending packet is filtered or the system is restarted. This type of denial of service attack can be executed remotely by any BGP peer that has access to send UPDATE packets to the vulnerable FRRouting instance, making it particularly dangerous in environments where external peers may not be fully trusted. The vulnerability is especially concerning because it affects the core routing functionality of the system, which is fundamental to network operations.
Mitigation strategies for CVE-2019-5892 involve immediate patching to FRRouting versions 3.0.4, 4.0.1, 5.0.2, and 6.0.2 respectively, which contain the proper implementation of RFC 7606 for handling attribute type 255. Organizations should also implement network-level filtering to prevent BGP UPDATE packets containing attribute 255 from reaching vulnerable FRRouting instances, particularly when these packets are not from trusted peers. The implementation should follow the ATT&CK framework's network ingress denial techniques, where the network infrastructure is hardened against malformed packet injection. Additionally, system administrators should monitor BGP session stability and implement proper logging to detect potential exploitation attempts. The vulnerability aligns with CWE-252, which describes an issue where a system fails to check for an error condition, and with ATT&CK technique T1498, which covers network denial of service attacks. Organizations should also consider implementing BGP session monitoring tools that can detect and alert on session flapping behavior, which would help identify exploitation attempts before they cause significant disruption to network services.