CVE-2025-61103 Overview
A NULL pointer dereference vulnerability has been discovered in FRRouting (FRR), a widely-used open-source routing protocol suite. The vulnerability exists in the show_vty_ext_link_lan_adj_sid function within ospf_ext.c and affects FRRouting versions from v4.0 through v10.4.1. Remote attackers can exploit this vulnerability to cause a Denial of Service (DoS) condition by sending specially crafted OSPF packets to vulnerable FRRouting instances.
Critical Impact
This vulnerability allows unauthenticated remote attackers to crash FRRouting daemon processes, potentially disrupting network routing infrastructure and causing widespread connectivity issues in enterprise and service provider networks.
Affected Products
- FRRouting v4.0 through v10.4.1
- Network infrastructure utilizing FRRouting for OSPF routing
- Linux-based routing appliances running vulnerable FRR versions
Discovery Timeline
- 2025-10-28 - CVE-2025-61103 published to NVD
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2025-61103
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference), a memory corruption issue that occurs when the application attempts to dereference a pointer that has a NULL value. In the context of FRRouting, the vulnerable function show_vty_ext_link_lan_adj_sid in the ospf_ext.c file fails to properly validate pointer references before use when processing OSPF extended link data.
When the OSPF daemon receives a malformed or specially crafted OSPF packet, the code path reaches the vulnerable function without adequate null-checking, causing the daemon to attempt to read from or write to memory address zero. This results in an immediate crash of the FRRouting process, effectively denying routing services to the network.
The vulnerability is particularly concerning for network infrastructure as FRRouting is commonly deployed in production environments for dynamic routing. A successful exploit would disrupt OSPF adjacencies and potentially cause routing convergence issues across affected network segments.
Root Cause
The root cause of this vulnerability stems from insufficient input validation and pointer checking within the show_vty_ext_link_lan_adj_sid function. When processing OSPF extended link LAN adjacency SID information, the function fails to verify that required data structures are properly initialized before dereferencing associated pointers. This missing null check allows crafted OSPF packets to trigger a code path where an uninitialized or intentionally nullified pointer is accessed, leading to immediate process termination.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker with network access to a vulnerable FRRouting instance can send specially crafted OSPF packets targeting the OSPF extended link processing functionality. The attack exploits the OSPF protocol handling in FRRouting by including malformed extended link LAN adjacency SID data that triggers the null pointer dereference condition.
The attacker needs to be able to send OSPF packets to the target system, which typically requires being on the same broadcast domain or having routing access to reach the target. OSPF operates at Layer 3 and uses IP protocol number 89, making it accessible from any system that can route packets to the target.
Detection Methods for CVE-2025-61103
Indicators of Compromise
- Unexpected FRRouting daemon crashes or restarts in system logs
- OSPF adjacency flapping or sudden loss of OSPF neighbors
- Core dump files generated by FRRouting processes with crash signatures in ospf_ext.c
- Network monitoring alerts indicating routing table instability
Detection Strategies
- Monitor FRRouting process health and implement alerting on unexpected process terminations
- Analyze system logs for segmentation fault messages associated with FRR OSPF processes
- Deploy network monitoring to detect anomalous OSPF traffic patterns or malformed OSPF packets
- Implement intrusion detection rules to identify suspicious OSPF extended link advertisements
Monitoring Recommendations
- Configure process monitoring tools to track FRR daemon uptime and restart frequency
- Enable detailed OSPF logging to capture packet processing errors before crashes
- Implement network traffic analysis on OSPF-enabled interfaces to baseline normal behavior
- Set up automated alerts for routing table changes that could indicate DoS exploitation
How to Mitigate CVE-2025-61103
Immediate Actions Required
- Upgrade FRRouting to a patched version that addresses the NULL pointer dereference
- Review network access controls to limit which systems can send OSPF traffic to routers
- Implement OSPF authentication to prevent unauthorized OSPF packet injection
- Consider deploying network segmentation to limit blast radius of potential exploitation
Patch Information
The FRRouting project has addressed this vulnerability through GitHub PR #19480. The specific fix is available in commit fdd9574. Organizations should review the GitHub Issue #19471 for additional context and update to a patched version as soon as available through their distribution channels.
Workarounds
- Enable OSPF MD5 or SHA authentication to prevent acceptance of unauthenticated OSPF packets
- Implement access control lists (ACLs) to restrict OSPF traffic to known trusted peers only
- Deploy network-level filtering to drop malformed OSPF packets at network boundaries
- Consider temporarily disabling OSPF extended link features if not operationally required
# Configuration example - Enable OSPF MD5 authentication
vtysh
configure terminal
interface eth0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 YourSecureKey
exit
router ospf
area 0 authentication message-digest
exit
write memory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
