Iggy Frankovic

**Name of the Vulnerable Software and Affected Versions** FRRouting versions through 10.1 **Description** An issue was discovered in the `bgp attr encap` function in the `bgpd/bgp attr.c` file, which does not check the actual remaining stream length before taking the TLV value. This can allow a remote attacker to cause a denial of service. **Recommendations** For versions through 10.1, consider disabling the `bgp attr encap` function as a temporary workaround until a patch is available. Restrict access to the `bgpd/bgp attr.c` file to minimize the risk of exploitation. Avoid using the TLV value in the affected `bgp attr encap` function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FRRouting versions through 9.1 **Description** The issue is related to a buffer overflow in the Opaque LSA Extended Link parser, specifically in the `ospf te parse ext link` function, when handling OSPF LSA packets with Segment Routing Adjacency SID subTLVs. The lengths of these subTLVs are not validated, which can lead to a daemon crash. This can potentially allow a remote attacker to execute arbitrary code or cause a denial of service. **Recommendations** For FRRouting versions through 9.1, as a temporary workaround, consider disabling the `ospf te parse ext link` function until a patch is available. Restrict access to the Opaque LSA Extended Link Parser component to minimize the risk of exploitation. Avoid using the Segment Routing Adjacency SID subTLVs in OSPF LSA packets until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FRRouting versions through 9.1 **Description** The issue is related to a buffer overflow and daemon crash in the `ospf te parse ri` function for OSPF LSA packets during an attempt to read Segment Routing subTLVs, whose size is not validated. This can allow a remote attacker to cause a denial of service. **Recommendations** For FRRouting versions through 9.1, as a temporary workaround, consider disabling the `ospf te parse ri` function until a patch is available. Restrict access to the OSPF LSA Packet Handler component to minimize the risk of exploitation. Avoid using the affected Segment Routing subTLVs in the OSPF LSA packets until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FRRouting versions through 9.1 **Description** The issue is related to the Dynamic Capability Handler component in FRRouting, which can lead to an infinite loop when receiving a MP/GR capability as a dynamic capability due to malformed data causing a pointer not to advance. This can allow a remote attacker to cause a denial of service. **Recommendations** For versions through 9.1, consider disabling the Dynamic Capability Handler component as a temporary workaround until a patch is available. Restrict access to the MP/GR capability to minimize the risk of exploitation. Avoid using malformed data in the dynamic capability to prevent the infinite loop.

**Name of the Vulnerable Software and Affected Versions** FRRouting versions through 9.1 **Description** The issue is related to improper input validation, allowing a remote attacker to cause a denial of service by exploiting the vulnerability. Specifically, an attacker can use a malformed Prefix SID attribute in a BGP UPDATE packet to crash the bgpd daemon. **Recommendations** For versions through 9.1, consider disabling the bgpd daemon or restricting its use until a patch is available to prevent potential crashes caused by malformed Prefix SID attributes in BGP UPDATE packets. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FRRouting (FRR) versions through 9.1 **Description** The issue allows remote attackers to cause a denial of service, resulting in the ospfd daemon crash, via a malformed OSPF LSA packet. This occurs because of an attempted access to a missing attribute field in the `ospf te parse te` function in `ospfd/ospf te.c`. **Recommendations** For FRRouting (FRR) versions through 9.1, update to a version that fixes the issue in the `ospf te parse te` function to prevent the denial of service. As a temporary workaround, consider restricting access to the `ospfd` daemon to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FRRouting FRR versions through 9.0.1 **Description** An issue was discovered in FRRouting where a crash can occur when a malformed BGP UPDATE message with an EOR is processed. This happens because the presence of EOR does not lead to a treat-as-withdraw outcome, allowing a remote attacker to cause a denial of service. The issue is related to the incorrect processing of a formed BGP UPDATE message with EOR. **Recommendations** For versions through 9.0.1, consider disabling the processing of BGP UPDATE messages with EOR as a temporary workaround until a patch is available. Restrict access to the BGP UPDATE functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FRRouting versions through 9.0.1 **Description** The issue is related to the improper handling of a crafted BGP UPDATE message with a MP UNREACH NLRI attribute and additional NLRI data that lacks mandatory path attributes. This can cause a crash when processed. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include the use of a crafted BGP UPDATE message with a `MP UNREACH NLRI` attribute and additional `NLRI` data. **Recommendations** For versions through 9.0.1, consider updating to a version that contains a fix for this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FRRouting versions through 9.0.1 **Description** The issue is related to insufficient input validation in FRRouting, which can be exploited by a remote attacker to cause a denial of service. Specifically, it mishandles malformed MP REACH NLRI data, leading to a crash. **Recommendations** For versions through 9.0.1, consider disabling the handling of MP REACH NLRI data as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FRRouting versions through 9.0.1 **Description** An issue was discovered in FRRouting where a crash can occur for a crafted BGP UPDATE message without mandatory attributes, such as one with only an unknown transit attribute. This issue is related to an uncontrolled resource consumption vulnerability, which can be exploited by a remote attacker to cause a denial of service using a specially crafted file. **Recommendations** For versions through 9.0.1, consider disabling the handling of BGP UPDATE messages without mandatory attributes as a temporary workaround until a patch is available. Restrict access to the BGP protocol to minimize the risk of exploitation. Avoid processing unknown transit attributes in BGP UPDATE messages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FRRouting FRR through 9.0 **Description** An issue was discovered in FRRouting FRR, where the file bgpd/bgp packet.c can read the initial byte of the ORF header in an ahead-of-stream situation. This may allow a remote attacker to disclose protected information or cause a denial of service. **Recommendations** For FRRouting FRR through 9.0, consider disabling the bgpd/bgp packet.c functionality until a patch is available to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FRRouting FRR versions through 9.0 **Description** An issue was discovered in FRRouting FRR, where there is an out-of-bounds read in `bgp attr aigp valid` in `bgpd/bgp attr.c` because there is no check for the availability of two bytes during AIGP validation. This could allow a remote attacker to cause a denial of service. **Recommendations** For FRRouting FRR versions through 9.0, consider disabling the `bgp attr aigp valid` function until a patch is available to prevent potential exploitation. Restrict access to the `bgpd/bgp attr.c` module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FRRouting FRR versions through 9.0 **Description** An issue was discovered in FRRouting FRR where the bgpd/bgp packet.c file processes NLRIs if the attribute length is zero. This can allow a remote attacker to cause a denial of service. **Recommendations** For FRRouting FRR versions through 9.0, consider disabling the processing of NLRIs with zero attribute length in the bgpd/bgp packet.c file as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FRRouting FRR version 9.0 **Description** An issue was discovered in FRRouting FRR, where the `bgpd/bgp open.c` file does not check for an overly large length of the `rcv` software version. This could allow a remote attacker to cause a denial of service. **Recommendations** For FRRouting FRR version 9.0, as a temporary workaround, consider disabling the `bgp open` function in `bgpd/bgp open.c` until a patch is available. Restrict access to the `bgpd` module to minimize the risk of exploitation. Avoid using the `rcv` software version in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FRRouting versions prior to 8.5 **Description** The issue is related to the bgpd/bgp label.c file in FRRouting, which attempts to read beyond the end of the stream during labeled unicast parsing. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 8.5, update to version 8.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the bgpd/bgp label.c component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FRRouting versions prior to 8.4.3 **Description** The issue is related to the handling of incorrect requests without attributes in the bgpd/bgp flowspec.c file of FRRouting, a Unix-like system network routing implementation tool. This can be exploited by a remote attacker to cause a denial of service, due to a "flowspec overflow" when an nlri length of zero is mishandled. **Recommendations** For versions prior to 8.4.3, update to version 8.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the bgpd/bgp flowspec.c module to minimize the risk of exploitation.