CVE-2022-40302 in FRRouting
Summary
by MITRE • 05/03/2023
An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/30/2025
The vulnerability CVE-2022-40302 affects FRRouting version 8.4 and earlier, specifically within the bgpd component responsible for BGP protocol operations. This issue stems from improper handling of BGP OPEN messages that contain option type 0xff, which represents the Extended Length format defined in RFC 9072. The flaw occurs when the BGP daemon processes these specially crafted messages, leading to system instability and potential service disruption.
The technical root cause lies in inconsistent boundary checks within the BGP message parsing logic. When processing BGP OPEN messages with option type 0xff, the code attempts to read 3 bytes instead of the expected 2 bytes for standard option handling. This discrepancy creates a critical buffer overread condition that triggers assertion failures within the daemon. The inconsistency arises because the validation mechanisms do not properly account for the extended length format, which allows for larger option values that exceed the standard 2-byte boundary assumptions.
This vulnerability presents significant operational impact as it can be exploited to cause denial of service conditions without requiring authentication or specialized privileges. Attackers need only send a malformed BGP OPEN message to trigger the assertion failure, resulting in daemon restarts or out-of-bounds memory reads that can crash the routing process. The implications extend beyond simple service interruption, as BGP daemon failures can cascade into network routing disruptions affecting multiple network segments and potentially causing widespread connectivity issues.
The flaw aligns with CWE-129, which addresses improper validation of buffer limits, and demonstrates characteristics consistent with ATT&CK technique T1499.004 for network disruption. Organizations utilizing FRRouting for BGP operations face heightened risk when exposed to untrusted BGP peers or when operating in environments where malicious actors could inject crafted BGP messages. The vulnerability affects network infrastructure reliability and can be particularly dangerous in mission-critical deployments where BGP stability is paramount for maintaining network connectivity.
Mitigation strategies include immediate upgrade to FRRouting version 8.5 or later where this vulnerability has been patched, implementing BGP message filtering to reject malformed OPEN messages, and deploying network monitoring solutions to detect unusual BGP traffic patterns. Network administrators should also consider implementing access control lists to restrict BGP peer relationships and ensure that only trusted peers can establish BGP sessions. Additionally, regular security assessments of routing infrastructure and proper incident response procedures should be established to quickly address potential exploitation attempts and maintain network resilience against such attacks.