CVE-2023-38802 Overview
CVE-2023-38802 is a denial of service vulnerability affecting FRRouting (FRR) versions 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2. The vulnerability allows a remote attacker to cause a denial of service by sending a crafted BGP update message containing a corrupted attribute 23 (Tunnel Encapsulation). This flaw in BGP path attribute error handling can result in the termination of BGP sessions, potentially disrupting routing infrastructure across affected networks.
Critical Impact
Remote attackers can crash BGP daemons and disrupt network routing by sending specially crafted BGP UPDATE messages with malformed Tunnel Encapsulation attributes, potentially causing widespread network outages.
Affected Products
- FRRouting FRR versions 7.5.1 through 9.0
- Pica8 PICOS version 4.3.3.2
- Debian Linux 10.0, 11.0, and 12.0
- Fedora 37, 38, and 39
Discovery Timeline
- 2023-08-29 - CVE CVE-2023-38802 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-38802
Vulnerability Analysis
This vulnerability stems from improper handling of BGP path attributes, specifically attribute 23 (Tunnel Encapsulation). When FRRouting's BGP daemon (bgpd) receives a BGP UPDATE message containing a malformed Tunnel Encapsulation attribute, it fails to properly validate the attribute data before processing. This improper integrity check (CWE-354) allows an attacker to craft a BGP UPDATE that triggers an assertion failure or crash in the BGP daemon.
The attack is particularly concerning because BGP is the fundamental routing protocol of the Internet. A successful exploit can cause the affected router to lose all BGP peering sessions, leading to route withdrawal and potential network partitioning. The vulnerability requires no authentication and can be exploited over the network without user interaction.
Root Cause
The root cause lies in insufficient validation of BGP path attribute data integrity. The Tunnel Encapsulation attribute (type 23) as defined in RFC 5512 requires specific formatting and structure. When FRRouting receives a BGP UPDATE with a corrupted or maliciously crafted attribute 23, the parsing logic fails to handle the malformed data gracefully. Instead of treating the attribute as malformed and continuing operation, the daemon crashes or enters an invalid state.
This represents a violation of the BGP error handling principles where implementations should be resilient to malformed data from peers. The lack of proper bounds checking and data validation in the attribute parsing routines allows the corrupted attribute to propagate through the processing pipeline until it causes a fatal error.
Attack Vector
The attack vector is network-based and requires the attacker to be able to send BGP UPDATE messages to the target router. This can be achieved through:
- Direct BGP Peering: An attacker with an established BGP session with the target can send malicious UPDATE messages directly
- Transit Attack: Malicious UPDATE messages can potentially propagate through BGP peers, affecting downstream routers
- BGP Hijacking: An attacker could announce routes with the malicious attribute from any AS that peers with affected networks
The attack does not require any privileges or user interaction. An attacker simply needs to craft a BGP UPDATE message with a corrupted Tunnel Encapsulation attribute (attribute code 23) and transmit it to an affected FRRouting instance. Upon processing the malformed attribute, the BGP daemon will crash, causing all BGP sessions to drop.
The vulnerability is described in detail in the Benjojo Blog Post on BGP Error Handling, which provides technical analysis of how BGP implementations handle attribute errors.
Detection Methods for CVE-2023-38802
Indicators of Compromise
- Unexpected BGP daemon (bgpd) crashes or restarts in FRRouting installations
- Sudden loss of all BGP peering sessions followed by route withdrawals
- Core dump files indicating assertion failures in BGP attribute parsing code
- Log entries showing malformed or invalid BGP UPDATE messages with attribute type 23
Detection Strategies
- Monitor BGP daemon stability and alert on unexpected process restarts or crashes
- Implement BGP session monitoring to detect sudden mass peer disconnections
- Analyze BGP UPDATE messages for anomalous or malformed Tunnel Encapsulation attributes
- Review system logs for FRRouting crash reports and BGP-related errors
- Deploy network intrusion detection rules to identify malformed BGP packets
Monitoring Recommendations
- Enable comprehensive logging for BGP UPDATE processing in FRRouting configurations
- Implement real-time monitoring of BGP session states across all peering relationships
- Set up alerts for BGP daemon process health using system monitoring tools
- Consider deploying BGP route monitoring services to detect unexpected route changes
- Maintain packet captures on BGP peering interfaces for forensic analysis when incidents occur
How to Mitigate CVE-2023-38802
Immediate Actions Required
- Update FRRouting to a patched version that addresses CVE-2023-38802
- Review BGP peering configurations and consider implementing prefix filtering
- Monitor BGP sessions closely for any signs of exploitation attempts
- Implement route flap damping to reduce impact of potential DoS attacks
- Consider BGP session authentication (TCP-MD5 or TCP-AO) to limit attack surface
Patch Information
Security patches have been released through various distribution channels. Organizations running affected FRRouting versions should apply updates immediately:
- Debian users should refer to Debian Security Advisory DSA-5495 and the Debian LTS Security Announcement
- Fedora users should check the Fedora Package Announcements for updated packages
- Pica8 PICOS users should contact Pica8 support for patch availability
Workarounds
- Implement strict BGP prefix and AS-path filtering to limit exposure to potentially malicious routes
- Consider using BGP session authentication mechanisms to ensure only trusted peers can establish sessions
- Deploy rate limiting on BGP UPDATE messages to slow potential exploitation attempts
- If feasible, temporarily disable acceptance of Tunnel Encapsulation attributes until patches are applied
- Segment network infrastructure to limit the blast radius of potential BGP daemon crashes
# Example FRRouting configuration for BGP session authentication
# Add to /etc/frr/frr.conf
router bgp 65001
neighbor 192.0.2.1 password YOUR_SECURE_PASSWORD
neighbor 192.0.2.1 ttl-security hops 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
