Cybersecurity researchers have found weaknesses in software implementations of the Border Gateway Protocol (BGP) that can be weaponized to achieve denial-of-service (DoS) conditions on vulnerable BGP peers.
All three vulnerabilities are in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. Currently used by several vendors such as NVIDIA Cumulus, CURVEAnd Sonicposes a supply chain risk.
This discovery is the result of an analysis of seven different BGP implementations conducted by Forescout Vedere Labs: FRRouting, BIRD, OpenBGPd, Mikrotik RouterOS, Juniper JunOS, Cisco IOS, and Arista EOS.
BGP is gateway protocol designed to exchange routing and affordability information between autonomous systems. It is used to find the most efficient route for sending internet traffic.
The list of three drawbacks is as follows –
- CVE-2022-40302 (CVSS score: 6.5) – Out of bounds read while processing incorrect format OPEN BGP messages with the Optional Extended Parameter Length option.
- CVE-2022-40318 (CVSS score: 6.5) – Out of bounds read while processing malformed BGP OPEN message with Optional Extended Parameter Length option.
- CVE-2022-43681 (CVSS score: 6.5) – Out of bounds read while processing a malformed OPEN BGP message that unexpectedly ends with an option-long octet.
Those issues “could be exploited by an attacker to achieve a DoS state on a vulnerable BGP peer, thereby terminating all BGP sessions and routing tables and rendering the peer unresponsive,” the company said in a statement. report shared with The Hacker News.
“DoS conditions can be extended indefinitely by repeatedly sending defective packets. The root cause is the same pattern of vulnerable code copied into multiple functions associated with different stages of parsing the OPEN message.”
Threat actors can spoof the valid IP addresses of trusted BGP peers or exploit flaws and other misconfigurations to compromise legitimate peers and then issue specially crafted BGP OPEN messages without being asked.
This is achieved by taking advantage of the fact that “FRRouting starts processing OPEN messages (eg decapsulating optional parameters) before it gets a chance to verify the BGP Identifier and ASN fields of the originating router.”
Forescout also provides an open source tool called bgp_boofuzzer which allows organizations to test the security of internally used BGP suites as well as discover new vulnerabilities in BGP implementations.
“Modern BGP implementations still have low-hanging fruit that can be abused by an attacker,” says Forescout. “To mitigate the risk of a vulnerable BGP implementation, (…) the best recommendation is to patch network infrastructure devices frequently.”
The find comes a few weeks after ESET found the used item routers previously used in business network environments storing sensitive data, including company credentials, VPN details, cryptographic keys, and other important customer information.
“In the wrong hands, the data obtained from the device – including customer data, router-to-router authentication keys, application lists, and more – is sufficient to launch a cyber attack,” the Slovak cybersecurity firm said.