Page MenuHomeVyOS Platform

Frr Bgp DOS
Closed, ResolvedPublic

Description

As you can read at

https://mailman.nanog.org/pipermail/nanog/2019-January/098761.html

There is a serious issue in frr. Please Update to current version.

If I had read the irc log's right one user reported it.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-EPA2
Why the issue appeared?
Will be filled on close

Event Timeline

rherold created this object in space S1 VyOS Public.

Wow, this explains why all my sessions dropped yesterday.

We plan to resume the experiments January 16th (next Wednesday), and
have updated the experiment schedule [A] accordingly.  As always, we
welcome your feedback.

Hopefully EPA3 with a fixed FRR will be out by then...

rherold triaged this task as Unbreak Now! priority.Jan 8 2019, 8:57 PM

Please unbreak now. The next test date was announced!!

The FRR devs have released binary packages including the fix and
announced it on the FRR mailing lists.  After considering the feedback
on the list and discussing with FRR devs, we will postpone the
experiments until Jan. 23rd, and have updated the schedule to reflect
the delayed start and shorter timeline [A].  We will follow up with
FRR devs and mailing lists/users.
syncer claimed this task.
syncer added a subscriber: syncer.

VyOS is not affected by this issue
https://vulmon.com/vulnerabilitydetails?qid=CVE-2019-5892
as it requires FRR build with certain options which we not use

That seems odd, my global peerings all reset at the time of the test. @mariusno and @rherold did you experience something similar?

it can be some other issue though
will appreciate if it's possible to get procedure how to reproduce and we happy to work with frr devs to address that

@syncer thats not true:

vyos@fw-1:~$ /usr/lib/frr/bgpd -v
bgpd version 6.1-dev
Copyright 1996-2005 Kunihiro Ishiguro, et al.
configured with:
'--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libexecdir=${prefix}/lib/frr' '--disable-maintainer-mode' '--enable-exampledir=/usr/share/doc/frr/examples/' '--localstatedir=/var/run/frr' '--sbindir=/usr/lib/frr' '--sysconfdir=/etc/frr' '--enable-snmp' '--enable-ospfapi=yes' '--enable-multipath=256' '--enable-fpm' '--enable-user=frr' '--enable-group=frr' '--enable-vty-group=frrvty' '--enable-configfile-mask=0640' '--enable-logfile-mask=0640' '--disable-werror' '--with-libpam' '--enable-systemd=yes' '--enable-cumulus=no' '--disable-dependency-tracking' '--enable-bgp-vnc=yes' '--enable-rpki' 'build_alias=x86_64-linux-gnu'
vyos@fw-1:~$

This is from epa2 and there is good to see: '--enable-bgp-vnc=yes'

From the CVE:

"FRRouting “FRR” (bgpd) on any platforms if it is configured (during compile time) with --enable-vnc. This includes packages released by the FRR team and FreeBSD Ports"

"Any other version built with VNC disabled. To check if your version and if it has bgp-vnc enabled, use the either the vtysh command show version (if FRR is running) or bgpd --version if FRR is not running and look for “bgp-vnc” in the output (example: --enable-bgp-vnc=yes or similar). If there is no output containing “bgp-vnc”, then vnc is disabled, and that version is not vulnerable."

syncer lowered the priority of this task from Unbreak Now! to High.

You are right,
fix will be in epa3

syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-EPA3) board.
syncer added a subscriber: dmbaturin.

@dmbaturin
please remove offending --enable-bgp-vnc=yes

No need to disable VNC :-) The FRR package should be fixed already so just need to make sure it is in EPA3.

@danhusan Yup, I experienced BGP reset/flapping at the same time. Looking forward to EPA3 :)

syncer moved this task from In Progress to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-EPA3) board.
syncer added a project: VyOS-1.2.0-GA.